Consumers are being urged to replace passwords with passkeys as a simpler, more secure method of accessing online services.
The National Cyber Security Centre (NCSC), part of the signals intelligence agency GCHQ, said today that it would no longer recommend that individuals use passwords for logging on where passkeys are available as an alternative.
Passkeys, which are securely stored on people’s phones, computers, or in third-party credential managers, are quicker and easier to use than passwords and offer stronger security.
The NCSC’s recommendation follows a technical study that shows passkeys are at least as secure – and generally more secure – than a password combined with two-factor authentication, such as an authorisation code sent by SMS.
Resilience against phishing
The agency claims that a move to passkeys would boost the UK’s resilience to phishing attacks and other hacking attempts, the majority of which rely on criminals stealing or compromising login details.
The UK government announced last year that it would roll out passkey technology for digital services as an alternative to current SMS-based verification systems, which incur additional costs for sending SMS messages.
The NHS became one of the first government organisations in the world to use passkeys to give patients secure access to hospital and pharmacy websites.
Online service providers, including Google, eBay and PayPal, also support passkeys. According to Google, over 50% of active Google users in the UK have a registered passkey – the highest uptake. Microsoft is also introducing passkeys for Hotmail.
Better security than 2FA
Passkeys offer a greater level of security than passwords and SMS two-factor authentication (2FA), both of which can be compromised by hackers.
They allow people to log into websites securely, using their own mobile phones, tablets or laptops to verify their identity by entering a PIN or using facial recognition.
The use of passwords with two-factor authentication for SMS can be vulnerable to “SIM swapping” attacks, where criminals allocate a victim’s phone number to a phone SIM card to intercept authentication keys.
The NCSC said that it stopped short of endorsing passkeys last year because there were still key implementation challenges.
However, it said that progress with the technology over the past year, including the ability to move passkeys between Android and Apple phones, has now made the technology viable.
Passkeys not yet recommended for business
The centre said it can now recommend passkey technology to the public as a more secure and user-friendly login method, and to businesses as the default authentication option for consumers.
The NCSC is not yet recommending passkeys for business applications, which will take longer to phase in. Many organisations rely on old IT systems that do not support passkeys or two-factor authentication.
The NCSC said that where services do not support passkeys, it advises consumers to create strong passwords and use two-factor authentication.
Jonathon Ellison, director for national resilience at the NCSC, said moving to passkeys would accelerate the UK’s resilience against cyber attacks.
“The headaches that remembering passwords have caused us for decades no longer need to be a part of logging in, where users migrate to passkeys – they are a user-friendly alternative, which provides stronger overall resilience,” he said.
Phasing out passwords will be gradual, with the first step being for people to become comfortable with using passkeys. Big banks are expected to phase in the technology over the next three to five years.