The National Cyber Security Centre (NCSC) has published guidance recommending the use of password managers and passkeys, insisting that the latter are the “future of authentication”.
In a blog post outlining the advantages of both, the cybersecurity agency noted that first-party, browser-based password managers can be a handy tool for users due to their deep integration with a platform’s security.
Browsers such as Chrome, Safari, Edge, and Firefox all offer built-in password management capabilities, making them a convenient option for users.
Dedicated password management platforms are also a viable option. Notably, the agency said that long-standing services will probably have only survived due to their strong attention to security practices.
It's worth noting that there have been issues with password managers in recent years, with high-profile breach incidents denting consumer confidence.
So what makes password managers safe and secure? According to the NCSC, password data is stored securely either by using "device features like security chips, or encryption, or both".
"Many first-party and third-party password managers now use fingerprint or facial recognition before revealing passwords," the agency added.
A passkey, meanwhile, is a new standard developed and supported by tech giants like Apple, Google, and Microsoft, offering a passwordless login technology based on public-key cryptography.
Instead of a password, the device creates a pair of complex secrets for each website the user signs up to, keeping one secret and giving the other to the website at the time of sign-up.
Because the key pair combination is unique, the passkey will only work on the website or app it was created for.
When the user logs in, the device checks that it is the right person through whatever means is usually used to unlock it, and can then prove to the website that it has the device secret, without actually revealing the secret itself.
"Because this happens so quickly, it's often eight times faster than logging in with a username, password and two factor code, whilst being more secure," said the NCSC.
"Passkeys are rolling out fast. Websites like Google, eBay, and PayPal already support them. They’re easy to use, hard to compromise, and eliminate password fatigue."
Choosing your options
First and foremost, the NCSC said it is important to consider a company's reputation when choosing tools such as these.
ITPro has a comprehensive list of password managers that both individuals and businesses can choose from below.
While these tools provide convenience, users are still urged to follow best practices in terms of cyber hygiene and awareness. The agency advised users to make sure they run updates, use biometric locks, and backup recovery options.
For example, this could include using recovery keys or trusted contacts.
“Don’t be afraid to adopt new security practices like passkeys – they’re easier and it’s where the internet is headed,” the agency added.
Greg Wetmore, vice president of product development at Entrust, echoed the NCSC’s stance on passkeys, claiming that they’re a game changer from a cybersecurity perspective.
Passwords are easy to breach, he noted, and often challenging to remember, with research indicating that more than half of people have to reset their password once a month because they can't remember it.
"Creating a unique, secure password is difficult to achieve for each account, with the average person having 170 passwords. Passkeys provide an excellent technical response to the problems with passwords," he said.
"Perhaps the most important security attribute of passkeys is that they are phishing resistant. An attacker cannot steal your passkey and subsequently use it to access your online account. The NCSC are right; It's time to move from passwords to password managers and passkeys."
MORE FROM ITPRO
- Are password managers safe? Here’s how to use them
- How to create a secure password policy
- The end of passwords – and how businesses will embrace it
-
MCP servers used by developers and 'vibe coders' are riddled with vulnerabilitiesNews Security researchers have issued a warning over rampant vulnerabilities found in MCP servers used by developers and 'vibe coders'.
-
North Korean IT workers: The growing threatIn-depth As fake IT worker schemes plague firms in the US and Europe, what can leaders do to protect their organizations?
-
I love magic links – why aren’t more services using them?Opinion Using magic links instead of passwords is safe and easy but they’re still infuriatingly underused by businesses
-
Password management startup Passbolt secures $8 million to shake up credential securityNews Password management startup Passbolt has secured $8 million in funding as part of a Series A investment round.
-
LastPass breach comes back to haunt users as hackers steal $12 million in cryptocurrencyNews The hackers behind the LastPass breach are on a rampage two years after their initial attack
-
GitHub launches passkeys beta for passwordless authenticationNews Users can now opt-in to using passkeys, replacing their password and 2FA method
-
Microsoft SQL password-guessing attacks rising as hackers pivot from OneNote vectorsNews Database admins are advised to enforce better controls as attacks ending in ransomware are being observed
-
No, Microsoft SharePoint isn’t cracking users’ passwordsNews The discovery sparked concerns over potentially invasive antivirus scanning practices by Microsoft
-
Microsoft Authenticator mandates number matching to counter MFA fatigue attacksNews The added layer of complexity aims to keep social engineering at bay
-
As Google launches passwordless authentication for all, what are the business benefits of passkeys?News Google follows Apple in its latest shift to passwordless authentication, but what are the benefits?
