UK “pioneering” global move away from passwords

Announced on the first day of the Government’s flagship cyber security event, namely CYBERUK, the move to implement passkey technology for the Government’s GOV.UK services marks a major step forward in strengthening the nation’s digital security.

Passkeys are unique digital keys tied to specific devices, such as a phone or a laptop, and help users login safely without needing an additional text message or other code. When a user logs into a website or app, their device uses this digital key to prove the user’s identity without needing to send a code to a secondary device or to receive user input.

This method is more secure as the key remains stored on the device and cannot be easily intercepted or stolen, making them phishing-resistant by design. As a result, even if someone attempts to steal a password or intercept a code, they would be unable to gain access without the physical device that contains the passkey.

The National Cyber Security Centre (NCSC) considers passkey adoption as being “vital” for transforming cyber resilience at a national scale, while the UK is already leading internationally with the National Health Service becoming one of the first Government organisations in the world to offer passkeys to end users.

In addition to enhanced security and cost savings, passkeys offer users a faster login experience, saving approximately one minute per login when compared to entering a username, password and SMS code.

Strengthening defences

Feryal Clark, Minister for Artificial Intelligence and Digital Government, observed: “The roll-out of passkeys across GOV.UK services marks another major step forward in strengthening the UK’s digital defences, while in parallel improving the user experience for millions.”

Clark continued: “Replacing older methods like SMS verification with modern and secure passkeys will make it quicker and easier for people to access essential services without them needing to remember complex passwords or wait for text messages. This shift will not only save users valuable time when interacting with Government online, but it will also reduce fraud and phishing risks that damage our economic growth.”

Ollie Whitehouse, chief technical officer at the NCSC, explained: “The NCSC has a stated objective for the UK to move beyond passwords in favour of passkeys as they’re secure against common cyber threats such as phishing and credential stuffing. By adopting passkey technology, Government is not only leading by example by strengthening the security of its services, but also making it easier and faster for citizens to access them.”

Whitehouse concluded: “We strongly advise all organisations to implement passkeys wherever possible to enhance security, provide users with faster and frictionless logins and save significant costs on SMS authentication.”

The NCSC has now joined the FIDO Alliance, the global body shaping the future of password-free authentication. This step forward will allow the UK to play an active role in the evolution of passkey standards. 

Profound decision 

Andrew Shikiar, CEO and executive director the FIDO Alliance, commented: “The UK Government’s adoption of passkeys across its digital services reflects a profound decision that stands to protect UK citizens, while providing the Government with greater security and operational efficiency. By prioritising modern and phishing-resistant authentication, the UK is setting a strong example for both the public and private sectors.”

Shikiar went on to state: “We’re also very pleased that the NCSC has joined the FIDO Alliance, which allows agencies across the UK Government to collaborate with other thought leaders in the Alliance in order to advance the development and deployment of foundational technologies that will strengthen our collective cyber resilience.”

For its part, the NCSC views passkeys as the future of online authentication, and is working diligently with vendors and organisations to make them widely available as an option for end users.