"The headaches that remembering passwords have caused us for decades no longer need to be a part of logging in where users migrate to passkeys - they are a user-friendly alternative which provide stronger overall resilience," Jonathon Ellison, director for national resilience at the NCSC, said as Britain signaled a clear shift away from passwords.
NCSC and the U.K.'s turnaround on passkeys
The National Cyber Security Centre (NCSC), the cyber arm of intelligence agency GCHQ, has moved from caution to endorsement. The agency says passkeys — digital credentials that comply with the FIDO2 phishing‑resistant authentication standard and synchronize across devices — eliminate many common account‑takeover vectors. In plain terms, the NCSC argues the majority of cyber harms to individuals begin with stolen or compromised login details, and that passkeys offer a "huge leap" in resilience to phishing attacks. The recommendation represents a change from the agency's stance a year earlier, when it concluded passkeys were not ready for primetime.
How passkeys (FIDO2) actually work
Passkeys rely on asymmetric cryptography. When a user signs up, their device generates two keys: a private key that stays on the device and a public key that the account provider stores. During login the provider issues a challenge; the trusted device signs that challenge with the private key and the provider verifies the signature against the stored public key. Because there is no shared secret for both sides to hold, common attacks such as credential stuffing, password spraying, or attackers exploiting breached password databases are removed from the threat model.
Adoption signals: the FIDO Alliance study and device vendors
Adoption is already measurable. An October 2025 FIDO Alliance study of nine members — including Amazon, Google, Microsoft, PayPal, Target and TikTok — found 93% of users of major services had systems compatible with passkeys, and that passkeys accounted for 26% of logins to those services. Device‑based credential managers that synchronize passkeys across multiple endpoints are widespread: built‑in options include Apple Passwords, Google Password Manager, Samsung Pass and Windows Hello, while third‑party vendors such as 1Password, Bitwarden and LastPass also support the model.
The FIDO Alliance data further quantified user experience: passkeys required an average of 8.5 seconds per sign‑in, compared with 31.2 seconds for traditional multifactor authentication workflows that often rely on one‑time passwords from authenticator apps. The National Health Service, an early government adopter, reported notable cost savings after reducing OTP deliveries and observed that most users simply want the functionality — not the cryptographic explanations behind it.
Report URI and the technical caveats NCSC flags
Passkeys change the authentication surface, but they do not absolve organizations of other application security responsibilities. Cybersecurity firm Report URI warned that deploying passkeys without addressing broader application security risks can create a false sense of security: "The password is eliminated, but the session remains vulnerable." The NCSC's in‑depth technical guidance mirrors that concern, urging firms to harden defenses against cross‑site scripting (XSS) that could target FIDO2 processes, to tie passkeys to a single domain or add support for related origin requests where cross‑domain use is required, and to provide controls for revoking public keys when a passkey is no longer needed.
Best practice recommendations in the guidance include giving users the ability to revoke FIDO2 public keys and, for users who store credentials on a single device, recommending backup authentication such as a physical security key or an authenticator app to recover access if the device is lost.
What this means for users, the National Health Service, and account providers
- Users: Expect faster, simpler sign‑ins that often look like unlocking a phone with a PIN, fingerprint or face; the NCSC notes many users will adopt without wanting technical detail.
- National Health Service: As an early adopter, the NHS has already recorded cost savings from reduced OTP use and provides a real‑world case that operational benefits can follow migration.
- Account providers: Must implement passkeys as part of a robust identity and access management program, address session security and XSS risks, provide revocation and recovery options, and correctly scope domains or related origin requests to avoid operational or security gaps.
The U.K.'s public move — from caution to active support — frames passkeys not as a niche improvement but as a practical, measurable advance in authentication. The data cited by the NCSC and the FIDO Alliance suggests the technical ecosystem and vendor support are already in place; the remaining work falls to account providers and security teams to pair passkeys with hardened application and session controls so the promise of simpler, faster, and more secure logins is realized without introducing new attack surfaces.
