GCHQ’s National Cyber Security Centre (NCSC) has just updated its guidance. It is now recommending that consumers should pick passkeys, rather than passwords, as their first login choice across all digital services. The decision was announced on Thursday, and it is notable because the NCSC is the UK government"s technical authority on cyber security.
The recommendation is a change from last year when the NCSC stopped short of endorsing adoption due to some key implementation challenges. Thanks to progress made since then, it is now recommending the technology to the public as a more secure and user-friendly login method. It also calls on businesses to use it as the default authentication option to offer to consumers.
Commenting on passkeys, Jonathon Ellison, Director for National Resilience at NCSC, said:
“Adopting passkeys wherever you can is a strong step towards a safer, simpler login experience and I am pleased that we can now support uptake.
The headaches that remembering passwords have caused us for decades no longer need to be a part of logging in where users migrate to passkeys – they are a user-friendly alternative which provide stronger overall resilience.
As we aim to accelerate the UK’s cyber defences at scale, moving to passkeys is something all of us can do to improve the security of everyday digital services and be prepared for modern and future cyber threats.”
While passkeys may be stronger for the general public, they’re simply not as common as passwords yet, and likely won’t be for a very long time. For those websites that don’t support passkeys yet, the advice is to use a password manager to create a strong password and to use two-factor authentication.
The UK government said last year that it would roll out passkeys for its digital services as an alternative to SMS-based verification. It expects this to save millions of pounds annually.