UK NCSC formally recommends switch to passkeys, reversing decades of guidance

The UK’s National Cyber Security Centre (NCSC) is advising everyone to switch to passkeys.

“Leave passwords in the past – passkeys are the future,” says a post on the centre’s blog, in language that echoes that used by passwordless pioneers at the FIDO Alliance. Passkeys, it says,  “should now be consumers’ first choice of login across all digital services.”

The formal endorsement of passkeys is further evidence that they have cleared the threshold for mainstream adoption. Indeed, with major payments providers, operating systems and social media companies on board with passkeys, government finds itself in the typical position of giving a fancy stamp to something that has already established a solid foothold among users. Data from Google shows the UK already leads global adoption of passkeys, with just over 50 percent of active Google users in the UK having one registered.

Still, it is a significant policy move for the NCSC, “overhauling decades of security practice.”

Passkeys when you can, MFA when you can’t

The rise of passkeys looks inevitable in light of the growing understanding of their benefits. Passkeys are more secure, faster, more convenient, and more resilient against today’s cyber attacks.

Yet the NCSC emphasizes that “this is not a decision taken lightly. It is based on extensive engagement with websites, app developers, technology vendors and the FIDO Alliance, alongside significant technical and sociotechnical research carried out by the NCSC.”

The conclusion is clear. “When combined with keeping your devices and apps up to date, passkeys significantly reduce the likelihood of phishing attacks, making this common technique far less effective for cyber criminals and nation-state actors. This means the more UK citizens choose to adopt passkeys, the greater our national resilience to phishing attacks.”

The formal guidance says to use passkeys “wherever a service supports them, and two‑step verification (2SV) where it does not.” The NCSC has put up a resource for those looking to switch to passkeys, and a post with some answers to anticipated questions.

“Adopting passkeys wherever you can is a strong step towards a safer, simpler login experience,” says Jonathon Ellison, director for national resilience at NCSC. “The headaches that remembering passwords have caused us for decades no longer need to be a part of logging in where users migrate to passkeys – they are a user-friendly alternative which provide stronger overall resilience.”

Article Topics

biometrics  |  cybersecurity  |  multifactor authentication  |  passkeys  |  passwordless authentication