The UK’s National Cyber Security Centre (NCSC) urged Britons and businesses on to move away from traditional passwords and adopt passkeys as the default method of logging into online services.
In a significant shift from decades of security advice, the NCSC declared today that passkeys should now be consumers’ first choice wherever they are available. It stated that passwords no longer offer sufficient protection against modern cyber threats.
Passkeys use public-key cryptography and are stored securely on users’ devices (such as smartphones, laptops or security keys). They replace the need to remember complex passwords and are inherently resistant to phishing, credential stuffing and brute-force attacks.
The NCSC’s technical assessment concludes that passkeys are at least as secure as, and generally more secure than, using a strong password combined with two-step verification (2SV).
Jonathon Ellison, Director for National Resilience at the NCSC, said: “The headaches that remembering passwords have caused us for decades no longer need to be a part of logging in where users migrate to passkeys – they are a user-friendly alternative that provides stronger overall resilience.”
The new guidance was announced at the NCSC’s annual CYBERUK 2026 conference in Glasgow, Scotland.
The centre had previously been cautious about fully endorsing passkeys due to implementation challenges but said industry progress now makes them ready for widespread adoption.
Where passkeys are not yet supported, the NCSC continues to recommend using a password manager for strong, unique passwords combined with 2SV.
NCSC Chief Technical Officer Ollie Whitehouse added that organisations should implement passkeys wherever possible to improve security, deliver faster logins and reduce costs associated with SMS-based authentication.
Major technology companies including Apple, Google and Microsoft already support passkeys across their platforms.
The move aligns with a broader global trend towards passwordless authentication, with the UK Government planning to roll out passkeys for GOV.UK services.
Passkeys work by generating a cryptographic key pair: One key stays securely on the user’s device, while the other is linked to the online account.
Unlike passwords, they cannot be guessed or phished, can be up to eight times faster to use and completely remove the hassle of creating and remembering multiple credentials.
