The UK’s National Cyber Security Centre (NCSC), part of GCHQ, urges individuals to abandon traditional passwords for online accounts. Passkeys offer a password-free alternative that eliminates entire categories of cyber attacks, according to agency experts.
Why Passwords Fall Short
Most phishing schemes begin with hackers stealing or compromising login credentials. The NCSC highlights that relying solely on passwords exposes users to significant risks, prompting a shift away from decades-old practices.
How Passkeys Work
Passkeys function like a digital stamp, generated and stored directly on users’ devices such as phones, computers, or tablets. Authentication relies on biometrics like fingerprints or facial recognition, or a device PIN. Even if a website suffers a breach, attackers only obtain public keys, which prove useless without the private counterpart stored locally.
This setup prevents interception during login, as no passwords, SMS codes, or temporary tokens are transmitted. Users save about one minute per sign-in, streamlining access across devices.
Real-World Adoption and Savings
Government services, including the NHS, already deploy passkeys to protect patient data. This transition cuts costs by eliminating multi-factor authentication via text messages. Major platforms like Google, Microsoft, PayPal, and eBay have followed suit, with over half of Google’s UK users enrolled.
Escalating Cyber Threats
Following 2025 attacks on retailers Marks & Spencer, Co-op, and Harrods, Dr. Richard Horne, an NCSC expert, warns of a “diverse and dramatic” landscape. “We’ve managed more than 200 incidents since September last year until the end of March, including twice as many nationally significant ones compared to the prior year,” he states.
Expert Endorsements
Jonathon Ellison, NCSC director for national resilience, praises passkeys as a “user-friendly alternative” that boosts overall security. “As we strengthen UK’s cyber defenses at scale, adopting passkeys helps secure everyday digital services against current and emerging threats,” he adds.
Previously cautious due to implementation concerns, the NCSC now fully supports passkeys following industry advancements. A technical report released Thursday confirms they match or exceed the security of strong passwords combined with two-step verification.
Chris Hosking from SentinelOne emphasizes: “Passkeys remove entire classes of attacks.” He notes users often reuse weak passwords across dozens of accounts, fueling breaches. “When a popular service leaks credentials to the dark web, it triggers a chain reaction compromising multiple systems.”
Practical Advice
For services lacking passkey support, the NCSC recommends password managers to generate robust, unique passwords alongside two-step verification.
