UK Cyber Chiefs Advocate Shift from Passwords to Passkeys

The UK’s National Cyber Security Centre (NCSC) has called for a transition away from traditional passwords, promoting passkeys as a more secure alternative. This shift aims to enhance digital account safety, especially as data breaches become increasingly common. While passwords have been the standard for online logins, experts now argue that passkeys offer superior protection.

How Do Passkeys Differ from Passwords?

Passkeys are cryptographic credentials tied to specific accounts and platforms, unlike passwords which require memorization. They are designed to work with existing device technologies, such as biometric scanners or PIN codes, eliminating the need for users to recall complex strings of characters. This approach reduces vulnerabilities linked to weak or reused passwords.

“Instead of creating and remembering a shared secret, your device generates a secure key pair. One part stays on your device, while the other is stored by the service you’re accessing,” explains Daniel Card of BCS, the Chartered Institute for IT.

The NCSC emphasizes that passkeys are unique to each website or app, minimizing the risk of intercepted data. They are also less susceptible to phishing attacks, according to Niall McConachie of Yubico. “Physical security keys are entirely resistant to phishing and cannot be stolen remotely,” he says.

Challenges in Adoption

Despite their benefits, passkeys face hurdles in widespread use. The NCSC previously hesitated to endorse them due to implementation issues, including slow adoption and inconsistent support across platforms. However, recent progress has seen major operating systems and browsers, like Apple and Google, integrate passkey functionality. The UK government has also started adopting them in digital services, signaling broader acceptance.

“This isn’t just a niche trend,” notes McConachie. “Growing support for passkeys, including their use by government systems, highlights their potential as a transformative security measure.”

While passkeys are praised as a robust solution, some experts caution they are not a perfect fix. Jonathan Ellison, NCSC’s director for national resilience, acknowledges their user-friendly nature but notes challenges remain. “Losing your device can complicate passkey setup,” he adds, stressing that the transition requires careful implementation.

As the push for passwordless authentication gains momentum, organizations like the NCSC are leading the charge. The move reflects a broader effort to reduce security risks by embracing technologies that align with modern device capabilities. Whether passkeys will fully replace passwords depends on continued adoption and overcoming remaining technical barriers.