UK CYBER AGENCY DITCHES PASSWORDS FOR PASSKEYS

The National Cyber Security Centre (NCSC) announced it will no longer recommend passwords where passkeys are available, marking a significant shift in digital security guidance. What are passkeys? Passkeys are login credentials stored directly on users' devices—smartphones, tablets, or computers. Rather than typing a password, users authenticate through biometric data like fingerprints or face recognition, or device PIN codes. How they work When logging into an app or website, passkeys use cryptographic technology to verify identity without transmitting sensitive information across networks. The system stores a unique key on the user's device and keeps a corresponding public key with the service provider. Authentication happens locally on the device, not through a centralized server. Security advantages Passkeys eliminate several vulnerabilities that plague traditional passwords. They are resistant to phishing attacks because they cannot be tricked into authenticating on fake websites. Users cannot be socially engineered into revealing them, as there is no shared secret to compromise. Passkeys also provide protection against large-scale data breaches. Even if a service provider's database is compromised, attackers cannot use stolen credentials to access accounts elsewhere, since each passkey is unique to its service. Industry adoption Major technology companies have already begun supporting passkeys. Google, Apple, and Microsoft now allow users to create and manage passkeys across their platforms. Financial institutions and major websites are gradually integrating passkey support as an authentication option. The transition The NCSC's guidance positions passkeys as consumers' first choice for login across all digital services. The agency cited modern cyber threats as the primary reason for moving beyond password-based security. While complete password replacement will take time due to infrastructure requirements, the NCSC's endorsement accelerates industry momentum toward phishing-resistant, breach-resistant authentication methods.