The NCSC says it’s time to switch to passkeys

It's time to finally kill off passwords in favour of passkeys – and companies need to start offering them to login.

That's according to the UK's National Cyber Security Centre (NCSC), which is now advising consumers to use passkeys where available because they offer "stronger resilience" to cyber attacks and are easier to use.

Passkeys tie credentials to a specific device, including a smartphone or laptop, removing the need for text messages or email verification codes.

The NCSC sees this as more secure as hackers would need to intercept the code or steal the device itself for access. In a blog post, the security agency said this makes passkeys "phishing-resistant" by design.

While the NCSC has long persisted with passwords as its official preference, last year it began recommending users switch to passkeys or a password manager.

In a statement, the NCSC said it had stopped short of fully endorsing passkeys due to "some key implementation challenges", but pointed to progress within the industry.

Indeed, the shift to passkeys is well underway. As the agency noted, passkeys are widely supported and half of Google users in the UK have one set up.

"Adopting passkeys wherever you can is a strong step towards a safer, simpler login experience and I am pleased that we can now support uptake," said Jonathon Ellison, Director for National Resilience at the NCSC.

"The headaches that remembering passwords have caused us for decades no longer need to be a part of logging in where users migrate to passkeys – they are a user-friendly alternative which provide stronger overall resilience."

The NCSC said beyond better security and lower costs for companies, passkeys save a minute per login versus a username, password, and text verification code.

Industry push needed for passkeys

Of course, for that shift to happen, organizations need to step up and ditch passwords and SMS verification with passkeys.

“We strongly advise all organizations to implement passkeys wherever possible to enhance security, provide users with faster, frictionless logins and to save significant costs on SMS authentication," NCSC Chief Technical Officer Ollie Whitehouse said.

The government is hoping to achieve this later in the year across its own digital services. The NHS was one of the first government organizations in the world to offer passkeys for logins.

“The rollout of passkeys across GOV.UK services marks another major step forward in strengthening the UK’s digital defences while improving the user experience for millions," said AI and Digital Government Minister Feryal Clark.

Why passkeys?

Passkeys are framed as a key weapon in the fight against phishing attacks. Beyond being more resistant to these attempts, it will also help reduce the number of texts users have to wade through.

This has become a major problem, and one exacerbated by the rise of phishing as a service (PhaaS) platforms like Tycoon 2FA, as well as the rise of AI-generated phishing campaigns.

To help with passkey rollout, the NCSC has joined forces with the FIDO Alliance, which is working towards password-free authentication.

“We’re also very pleased that the NCSC has joined the FIDO Alliance, which allows agencies across the UK government to collaborate with other thought leaders in the Alliance to advance the development and deployment of foundational technologies that will strengthen our collective cyber resilience," said Executive Director and CEO of the FIDO Alliance Andrew Shikiar.

FOLLOW US ON SOCIAL MEDIA

Follow ITPro on Google News and add us as a preferred source to keep tabs on all our latest news, analysis, views, and reviews.

You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.