Why the UK’s NCSC advocates for passkeys over passwords

As we step into 2025, the urgency to improve online security has never been greater. Weak passwords remain a major cybersecurity risk, with recent surveys from the UK’s National Cyber Security Centre (NCSC) revealing that many individuals continue to use highly guessable passwords like “123456.” This outdated practice puts both individuals and businesses at risk, making it easier for cybercriminals to gain unauthorized access to sensitive information. While methods such as Multi-Factor Authentication (MFA) have helped mitigate these risks, the NCSC believes the future of online security lies in passkeys.

In this blog, we explore why passkeys are seen as the best replacement for passwords by the NCSC, the challenges hindering their mass adoption, and the steps the NCSC and industry leaders are taking to make passkeys the new standard for secure online authentication.

For decades, passwords have been the backbone of online authentication, yet they remain fundamentally flawed. Most cyberattacks that exploit individuals occur through compromised credentials - whether stolen via phishing scams, brute-force attacks, or simply because users reuse weak passwords across multiple accounts. Even with MFA, many users fail to enable it or opt for weaker second factors, such as SMS-based authentication, which can still be compromised.

The reality is that passwords were never designed to be a robust security measure. They originated in the 1970s when the internet was a closed environment used by a limited group of researchers. Today, with billions of users worldwide, the need for a more sophisticated and secure authentication method is evident.

Passkeys are a big advancement in authentication, offering a passwordless experience that is both more secure and more convenient for users. Unlike traditional passwords, which can be guessed, stolen, or phished, passkeys provide several key advantages:

• Unphishable and Unique: Passkeys are cryptographically generated and unique to each website, eliminating the risk of credential reuse. If one account is compromised, it does not affect other accounts.

• Faster and Easier: Microsoft reports that passkey-based logins take an average of 8 seconds, compared to 69 seconds for traditional passwords with MFA.

• No More Password Resets: Since passkeys cannot be forgotten or mistyped, the cumbersome process of password resets is eliminated.

Given these advantages, the NCSC firmly believes that passkeys should replace passwords as the default method of authentication.

Despite their potential, passkeys have not yet reached full-scale adoption across all digital services. The NCSC has identified several key challenges preventing widespread implementation:

1. Migration Between Platforms

Unlike passwords, which can be manually entered on any device, passkeys currently lack a universal migration system. Moving from one ecosystem (e.g., Apple’s iCloud Keychain) to another (e.g., Google Password Manager) remains difficult. However, industry groups like the FIDO Alliance are working to resolve this.

2. Security of Account Recovery Processes

As passkeys make traditional credential theft harder, cybercriminals may shift their focus to exploiting account recovery mechanisms, such as email or phone-based recovery. This creates a new attack vector that needs to be properly secured by service providers.

3. User Experience and Awareness

Many users are unfamiliar with how passkeys work or why they are superior to passwords. Without clear communication and education, users may resist adopting this new authentication method.

To address these challenges and drive mass adoption, the NCSC is taking the following steps:

• Collaboration with Industry Leaders: Working alongside FIDO, major tech vendors, and cybersecurity organizations to standardize passkey implementation.

• Encouraging Businesses to Offer Passkeys: Advising UK businesses to provide passkeys as a login option to users and integrate them into their authentication systems.

• Government-Led Initiatives: Exploring how GOV.UK One Login can utilize passkeys for secure citizen access to government services.

• Regulatory Review and Standards Updates: Revising cybersecurity regulations to ensure organizations can offer passkeys in a compliant manner.

• User Education and Awareness Campaigns: Raising awareness among consumers about the security benefits and ease of using passkeys.

If you own a business or website that authenticates users, the answer is a resounding yes. Passkeys offer superior security and user experience, but organizations must consider their user base and ensure proper backup and recovery mechanisms are in place before making the switch.

If you’re an individual user, adopting passkeys today will significantly improve your online security. They protect against phishing, make login processes seamless, and eliminate the risks associated with weak or reused passwords. If your favorite services support passkeys, enabling them is a no-brainer.

The NCSC remains firm in its belief that passkeys represent the future of online security. By eliminating passwords, users gain a safer and more efficient authentication process, reducing their exposure to cyber threats. However, achieving full-scale adoption will require ongoing industry collaboration, technological refinement, and user education.

As the digital world evolves, passkeys will become the gold standard for authentication. Businesses, governments, and users alike must work together to accelerate this transition, ensuring a more secure and phishing-resistant future for all.