Skip to main content
Cybersecurity

NCSC Endorses Passkeys Over Passwords in New Guidance

Person holding smartphone in modern conference room setting with technical diagrams.

"The headaches that remembering passwords have caused us for decades no longer need to be a part of logging in where users migrate to passkeys – they are a user-friendly alternative that provides stronger overall resilience," said Jonathon Ellison, director for national resilience at the UK's National Cyber Security Centre (NCSC).

NCSC makes passkeys the default at CYBERUK

At its annual CYBERUK conference the NCSC published a technical report that for the first time instructs consumers to prefer passkeys over passwords wherever passkeys are available. The agency concluded passkeys "are at least as secure as, and generally more secure than" the combination of a password and two-step verification (2SV), and its new official guidance states that passwords should not be used where passkeys are available.

How passkeys work and the benefits the NCSC highlights

The report explains passkeys function by creating a cryptographic key pair between a user's device and the protected account. According to the NCSC, passkeys cannot be guessed or phished, are up to eight times faster to use than passwords, and remove the burden of creating and remembering credentials.

  • The agency emphasises that passkeys improve "overall resilience" for everyday digital services.
  • Passkeys also address user fatigue: they eliminate the repeated credential creation and memorisation that have characterised password use for decades.

Industry movement and the implementation gaps that delayed endorsement

The NCSC said it considered endorsing passkeys last year but delayed until key implementation challenges were addressed by vendors. Those gaps included inconsistent passkey naming across platforms, unreliable device support, and limited credential manager compatibility; the agency judged those issues have narrowed enough to support a broader transition.

In its report the NCSC named specific platforms that have helped adoption: Google, eBay, and PayPal were cited as making it easier for users to register passkeys, and the agency noted "around 50 percent of UK Google users" had registered at least one passkey. The NCSC also recorded that Microsoft made passkeys the default standard nearly a year ago.

Where passkeys aren't yet an option: passwords + 2SV and password managers

Where passkeys are not available, the NCSC — described in the report as "the signals intelligence agency" — advises continuing to use the password plus 2SV combination. The guidance recommends that both consumers and businesses use a password manager so those passwords remain complex and unique to each service.

The report reiterates a familiar defensive point: unique passwords limit the damage if credentials appear in an "infostealer dump," and adding 2SV provides an additional barrier should a criminal obtain a correct username-password pair. The NCSC used that scenario to underline why, until universal passkey support exists, layered protection remains essential.

How consumers, UK organisations, and platform operators are affected

Consumers: Where passkeys are available, the NCSC is telling end users to migrate off passwords to avoid phishing and guessing attacks and to reduce the cognitive burden of credential management.

UK organisations and businesses: The agency's guidance pushes organisations to prioritise adoption at scale. Richard Horne, the NCSC's CEO, warned that the number of nationally significant cyberattacks is hovering around levels last seen in October, when the NCSC reported it witnessed four such attacks every week; Horne urged organisations to prioritise security hygiene as Britain enters a period of "tumultuous uncertainty."

Platform operators: Companies named in the report — Google, eBay, PayPal and Microsoft — are held up as examples of platforms that have eased user migration. The NCSC's endorsement creates a clearer signal for other platforms and credential manager vendors to resolve naming, device support, and compatibility frictions so consumers can adopt passkeys broadly.

The NCSC's technical judgment is decisive: passkeys are no longer a niche replacement but the recommended default where available. The next practical questions the report sets for providers and customers are straightforward and concrete — finish addressing remaining compatibility and device-support wrinkles, widen vendor defaults, and keep passwords protected with 2SV and password managers until passkeys are ubiquitous. The agency's tone is a mix of encouragement and urgency: migration to a stronger, less phishable login standard is both possible and necessary while the country faces "tumultuous uncertainty."

Original story