UK Cyber Chiefs Advocate Replacing Passwords with Passkeys
Individuals in the UK have been encouraged to begin replacing passwords with passkeys where possible to enhance the security of their online accounts.
For many years, passwords have been the standard method for setting up and accessing accounts on digital platforms.
However, on Thursday, the National Cyber Security Centre (NCSC) announced it is "overhauling decades of security practice" by recommending passkeys as the most secure authentication method.
Major platforms such as Apple, Google, and X already support passkeys as an alternative to passwords, but what exactly are passkeys and how do they function?
This guidance follows longstanding advice cautioning against the use of simple or easily guessable passwords, such as "123456" or pet names.
In the context of increasing data breaches, the NCSC has reiterated warnings about the risks of reusing the same password across multiple websites.
To improve security, the use of password managers and multi-factor authentication (MFA) has become more widespread for managing and strengthening login credentials.
The NCSC considers passkeys to potentially be less susceptible to hacking and human error, though some experts caution they are still "not a silver bullet."
What Are Passkeys?
Passkeys, like passwords, serve as a form of authentication to verify a user's identity when accessing an account.
Unlike passwords, passkeys do not require users to memorize a code or a combination of letters, numbers, and symbols.
They consist of digital information linked to a user's account and are unique to each website or application.
Passkeys employ cryptographic techniques to perform verification at the device level.
Typically, they integrate with existing device technologies such as Face ID and Touch ID on iPhones, or Face Unlock on Google Pixel phones.
Operating system developers like Google and Apple offer passkeys as an alternative login method.
According to the NCSC, passkeys provide enhanced protection because each is unique to the specific website where it is registered, and no secret information is shared during authentication.
"A user-friendly alternative which provide stronger overall resilience," said Jonathan Ellison, the NCSC's director for national resilience.
He added that passkeys could also alleviate "the headaches that remembering passwords have caused us for decades."
How Do Passkeys Work?
Passkeys operate through a process known as public key cryptography.
"Instead of you creating and remembering a shared secret, like a password, your device generates a secure key pair - one part stays on your device, and the other sits with the service you're logging into," explained Daniel Card of BCS, the Chartered Institute for IT.
The authentication typically involves the user performing the same action used to unlock their device, such as biometric verification via fingerprint or facial recognition, or entering a PIN code.
Only confirmation that the verification was completed is transmitted, not the biometric or PIN data itself.
"These physical security keys are totally resistant to phishing attempts and can't be intercepted or stolen by remote attackers, meaning only the key holder can gain access to their accounts," stated Niall McConachie, regional director at cybersecurity firm Yubico.
Limitations: 'Not a Silver Bullet'
The NCSC and many cybersecurity professionals view passkeys as potentially as secure or more secure than MFA methods that combine strong passwords with additional verification steps.
However, Card and other experts emphasize that passkeys are "not a silver bullet."
One challenge is that losing access to the device where passkeys are stored can complicate account recovery and passkey configuration.
The NCSC previously refrained from recommending passkeys due to "implementation challenges," such as slow adoption rates and inconsistent support across platforms.
Many platforms still do not permit users to utilize passkeys either as a replacement for or alongside passwords.
Nevertheless, the Fido Alliance, an industry group promoting passkeys as a path toward a "password-less future," reports that passkey technology is now supported across all major operating systems, web browsers, and third-party providers.
McConachie noted that increasing adoption, including the UK Government's implementation of passkeys across digital services last year, indicates that "this isn't just a niche trend."
"Moving from passwords to password managers, app-based MFA, and now passkeys is a step change in reducing risk," Card added.
"That's why organisations like the NCSC are backing them, and why many in the security community are already adopting them wherever they're available."
for our Tech Decoded newsletter to follow the world's top tech stories and trends. Outside the UK? here.
