The National Cyber Security Center (NCSC), part of GCHQ, has advised the public and businesses to stop relying on passwords where passkeys are available.
In updated advice released alongside a technical report at the CYBERUK conference on Thursday, the agency said passwords have become increasingly vulnerable to common cyberattacks, particularly phishing, in which users are tricked into revealing login details.
The NCSC is instead promoting passkeys, a password-free sign-in method that uses cryptographic keys stored on a user’s device. The system creates a pair of keys: a private key kept on the device and a public key held by the online service. Officials say the private key is never shared, meaning it cannot be stolen from servers.
“The headaches that remembering passwords have caused us for decades no longer need to be a part of logging in, where users migrate to passkeys,” said Jonathon Ellison, the NCSC’s director for national resilience. “They are a user-friendly alternative that provides stronger overall resilience.”
Under the new guidance, passkeys are described as being “at least as secure as, and generally more secure than” a combination of strong passwords and two-step verification.
Stolen credentials are often reused across multiple services, allowing attackers to gain wider access once a single account is compromised.
“The reality is we all juggle dozens of logins across our work and personal lives, and expecting all your employees to create and manage strong, unique passwords for each one simply isn’t realistic,” said Chris Hosking of SentinelOne. “Passkeys remove entire classes of attacks, as there’s no password to steal or reuse.”
The NCSC had previously held back from fully endorsing passkeys due to technical and compatibility concerns, but said these issues have improved across the technology sector.
Major providers, including Google, Microsoft, eBay, and PayPal, now support passkeys, with adoption growing. Data cited by the agency indicates that more than half of Google’s active UK users have registered at least one passkey.
Government services have also begun implementing the system, including the National Health Service, where officials say it has improved security and reduced costs by removing the need for text-based verification codes.
The NCSC said users should adopt passkeys where available. Where they are not yet supported, it advises the use of a strong, unique password stored in a password manager, along with two-step verification.
