TechnologyUK NCSC

NCSC: Leave passwords in the past – passkeys are the future

  • GCHQ’s National Cyber Security Centre (NCSC) heralds a new era of secure sign-in with passkeys now ready for mass adoption.
  • Passwords are no longer resilient enough for the contemporary world, cyber experts say in new report published on Day Two of the CYBERUK conference in Glasgow.
  • Consumers are encouraged to migrate to passkeys where possible to unlock a simpler and safer digital lifestyle.

Passkeys should now be consumers’ first choice of login across all digital services, the UK government’s technical authority on cyber security announced today (Thursday).

Overhauling decades of security practice, the National Cyber Security Centre – a part of GCHQ – has decided to no longer recommend individuals use passwords where passkeys are available because passwords lack the relative resilience to modern cyber threats.

Passkeys are a newer method for logging into online accounts that do much of the heavy lifting for users, requiring only user approval rather than needing to input a password. This makes passkeys quicker and easier to use and harder for cyber attackers to compromise.

A new technical report, published today on Day Two of CYBERUK – the UK government’s flagship cyber security event in Glasgow, shows that passkeys are at least as secure as and generally more secure than pairing the strongest password with two-step verification (2SV).

The majority of cyber harms to individuals start with criminals stealing or compromising login details, making the adoption of passkeys a significant leap in boosting the UK’s resilience to phishing attacks.

A number of popular online service providers already support passkeys, including Google, eBay, and PayPal – and new data from Google shows the UK already leads global adoption of passkeys, with just over 50% of active Google services users in the UK having one registered.

The NCSC stopped short of endorsing the adoption of passkeys last year due to some key implementation challenges. However, progress within industry means they can now be recommended to the public as the more secure and user-friendly login method and to businesses as the default authentication option to offer consumers.

Adopting passkeys wherever you can is a strong step towards a safer, simpler login experience and I am pleased that we can now support uptake.

The headaches that remembering passwords have caused us for decades no longer need to be a part of logging in where users migrate to passkeys – they are a user-friendly alternative that provides stronger overall resilience.

As we aim to accelerate the UK’s cyber defenses at scale, moving to passkeys is something all of us can do to improve the security of everyday digital services and be prepared for modern and future cyber threats.

Jonathon Ellison, Director for National Resilience, NCSC

Where a particular service does not support passkeys, the NCSC’s advice to consumers is to use a password manager to create stronger passwords and continue using two-step verification.

Making passkeys the default authentication recommendation is a critical step towards revolutionizing the way individuals use and access their online identities.

Source: UK NCSC (Cyber) (23 April 2026)

Related Articles

Back to top button