"should now be consumers’ first choice of login," the NCSC wrote — a short sentence that marks a long shift in official guidance on how people and organisations should sign in online.
The NCSC's position on passkeys
The UK’s National Cyber Security Centre (NCSC) has moved from cautious endorsement to full advocacy: the agency says passkeys "should now be consumers’ first choice of login" and that it no longer recommends passwords except where passkeys are not available on a digital service. That change follows a year of close work with industry and observation of improvements across the passkey ecosystem.
FIDO Alliance and technical standards
The NCSC’s confidence rests squarely on progress in open standards developed by the FIDO Alliance, an industry consortium that aims to reduce reliance on passwords and improve authentication security. The source cites FIDO standards such as FIDO2 and WebAuthn, which enable signing in using biometrics, security keys, or device‑based authentication instead of passwords.
Passkeys in the NHS
Part of the evidence the NCSC points to is the reported success of passkeys within the National Health Service (NHS). The agency says positive outcomes in the NHS helped persuade it that passkeys are now both more secure and more user‑friendly than passwords for many services.
Vendor adoption: Google, Apple, Microsoft and government plans
The wider market has been moving in the same direction. Google made passkeys the default sign‑in option for all users in 2023; Apple followed "soon after" in 2024; and Microsoft made passkeys available to all consumer accounts in 2025, saying they would do a "much better job" than passwords at protecting accounts from malicious attacks. The UK government also published plans in 2025 to roll out passkeys across all digital services.
Guidance for businesses: SSO and future NCSC advice
Alongside its consumer recommendation, the NCSC has signalled how organisations should respond. For businesses, the current authentication guidance is to use single sign on (SSO) wherever possible, and the NCSC said it is expected to provide more guidance to business in the future. That suggests a two‑track approach: encourage public adoption while refining enterprise deployment advice.
What this means for consumers, the NHS, and businesses
- Consumers: The NCSC’s statement tells individual users that passkeys should be their first choice where available, and that passwords should be reserved only for services that do not yet offer passkeys.
- The NHS: With the agency citing success inside the NHS, health services that have adopted passkeys now serve as demonstration projects that helped shift the NCSC’s stance.
- Businesses: Organisations are advised to prioritise SSO and to look for forthcoming, more detailed guidance from the NCSC as passkey rollouts continue and standards like FIDO2 and WebAuthn are implemented more widely.
The NCSC’s change is procedural as well as declarative: after a year of watching industry progress and addressing issues such as inconsistent passkey "flavours," varied terminology, and an earlier lack of consensus on appropriate use cases, the agency concluded that the ecosystem has matured enough to recommend passkeys to the public and to businesses as the default consumer authentication option to offer.
By tying its recommendation to both standards work (FIDO2, WebAuthn) and practical deployments (NHS, major vendors), the NCSC has anchored its advice to measurable developments. The next practical steps to watch are the additional business guidance the NCSC said it will issue and how quickly public services and commercial providers align with the UK government’s 2025 plan to roll out passkeys across all digital services.




