{"id":16134,"date":"2026-04-23T13:12:08","date_gmt":"2026-04-23T13:12:08","guid":{"rendered":"https:\/\/newestek.com\/?p=16134"},"modified":"2026-04-23T13:12:08","modified_gmt":"2026-04-23T13:12:08","slug":"uks-ncsc-calls-passkeys-the-default-says-passwords-are-no-longer-fit-for-the-purpose","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=16134","title":{"rendered":"UK\u2019s NCSC calls passkeys the default, says passwords are no longer fit for the purpose"},"content":{"rendered":"<div>\n<div id=\"remove_no_follow\">\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<section class=\"wp-block-bigbite-multi-title\">\n<div class=\"container\"><\/div>\n<\/section>\n<p>The UK\u2019s National Cyber Security Centre (NCSC) is recommending passkeys as the default authentication method for businesses to offer consumers, citing industry progress that now makes them a more secure and user-friendly alternative to passwords.<\/p>\n<p>In a blog post published this week, the agency said passkeys can now be recommended to both the public and businesses as a primary authentication method.<\/p>\n<p>\u201cPasskeys should now be consumers\u2019 first choice of login,\u201d the UK cybersecurity authority <a href=\"https:\/\/www.ncsc.gov.uk\/news\/ncsc-leave-passwords-in-the-past-passkeys-are-the-future\">said in a blog post<\/a>, adding that passwords are \u201cno longer resilient enough for the contemporary world.\u201d<\/p>\n<p>\u201cPasskeys are a newer method for logging into online accounts which do much of the heavy lifting for users, only requiring user approval rather than needing to input a password. This makes passkeys quicker and easier to use and harder for cyber attackers to compromise,\u201d the NCSC added in the blog.<\/p>\n<p>The agency said passkeys should be used wherever supported, describing them as resistant to phishing and eliminating risks associated with password reuse.<\/p>\n<h2 class=\"wp-block-heading\" id=\"focus-on-phishing-resistant-authentication\">Focus on phishing-resistant authentication<\/h2>\n<p>The guidance is based on the agency\u2019s assessment of how authentication methods perform against real-world attacks.<\/p>\n<p>The NCSC said its analysis examines common techniques, including phishing, credential reuse, and session hijacking, and evaluates how credentials are exposed across their lifecycle, from creation and storage to use.<\/p>\n<p>\u201cPasskeys are resistant to phishing attacks and remove the risks associated with password reuse,\u201d the agency said.<\/p>\n<p>In its accompanying <a href=\"https:\/\/www.ncsc.gov.uk\/paper\/traditional-user-and-fido2-credentials-personal-use\" target=\"_blank\" rel=\"noreferrer noopener\">technical paper<\/a>, the NCSC said traditional authentication methods, including passwords combined with one-time codes, remain \u201cinherently phishable.\u201d<\/p>\n<p>By contrast, FIDO2-based credentials such as passkeys are \u201cas secure or more secure than traditional MFA against all common credential attacks observed in the wild,\u201d the agency said.<\/p>\n<p>However, NCSC cautioned in the technical paper that \u201cwhile much of the analysis in this paper also applies to enterprise authentication scenarios (for example staff authenticating to a Single Sign On), the different threat model and usage scenarios mean this paper is not intended for enterprise risk assessment.\u201d<\/p>\n<h2 class=\"wp-block-heading\" id=\"how-passkeys-change-the-attack-model\">How passkeys change the attack model<\/h2>\n<p>The NCSC added that passkeys reduce risk by removing reliance on shared secrets and binding authentication to the legitimate service.<\/p>\n<p>According to the agency, this prevents credential reuse and relay attacks, as authentication cannot be intercepted and reused by an attacker.<\/p>\n<p>Passkeys use cryptographic key pairs stored on a user\u2019s device, with authentication tied to device-based verification such as biometrics or PINs, the agency said.<\/p>\n<h2 class=\"wp-block-heading\" id=\"shift-in-user-level-authentication\">Shift in user-level authentication<\/h2>\n<p>For organizations that provide online services to customers, the guidance signals a shift in how authentication is implemented at the user interface level.<\/p>\n<p>\u201cThis is a fundamental architectural change, not an incremental authentication upgrade,\u201d said Madelein van der Hout, senior analyst at Forrester. \u201cIt moves organizations beyond the passwords-plus-MFA paradigm toward a phishing-resistant foundation.\u201d<\/p>\n<p>Van der Hout said passkeys eliminate risks associated with credential theft by using device-bound cryptographic authentication rather than shared secrets.<\/p>\n<p>\u201cOrganizations that treat this as a credential swap will underinvest,\u201d she said. \u201cThose who treat it as a broader identity modernization opportunity will get ahead.\u201d<\/p>\n<p>The NCSC said organizations should also consider how authentication is implemented across the full user journey, including account recovery and fallback mechanisms.<\/p>\n<p>While passkeys reduce reliance on passwords, the agency noted that weaker processes, such as password resets or account recovery flows, can still introduce risk if not properly secured.<\/p>\n<h2 class=\"wp-block-heading\" id=\"adoption-challenges-remain\">Adoption challenges remain<\/h2>\n<p>The NCSC said passkeys are not yet universally supported and recommended password managers and multi-factor authentication where passkeys cannot be used.<\/p>\n<p>\u201cWhere a particular service does not support passkeys, the NCSC\u2019s advice to consumers is to use a password manager to create stronger passwords and keep using two-step verification,\u201d NCSC noted in the blog post.<\/p>\n<p>Van der Hout said implementation challenges are likely, particularly for organizations operating across multiple platforms and user environments.<\/p>\n<p>\u201cLegacy systems and fragmented identity environments present significant obstacles,\u201d she said.<\/p>\n<p>She added that organizations must also consider non-human identities. \u201cAny passkey strategy that ignores the machine identity layer will create new security gaps,\u201d she said.<\/p>\n<p>Device requirements and account recovery processes may also affect how passkeys are deployed, she said.<\/p>\n<h2 class=\"wp-block-heading\" id=\"hybrid-model-is-expected-during-the-transition\">Hybrid model is expected during the transition<\/h2>\n<p>A full transition away from passwords is unlikely in the near term, analysts believe.<\/p>\n<p>\u201cExpect a hybrid model lasting several years,\u201d van der Hout said, as organizations continue to support both passkeys and traditional authentication methods.<\/p>\n<p>During this period, organizations will need to manage authentication across multiple login options while ensuring that fallback methods do not weaken overall security, she added<\/p>\n<p>The NCSC similarly advised maintaining strong authentication practices where passkeys are not yet available.<\/p>\n<h2 class=\"wp-block-heading\" id=\"policy-signal-strengthens-shift-toward-passwordless-login\">Policy signal strengthens shift toward passwordless login<\/h2>\n<p>The guidance adds to broader efforts to move away from passwords in consumer authentication.<\/p>\n<p>\u201cThe guidance matters because it gives security leaders leverage,\u201d van der Hout said, including in discussions with vendors and internal stakeholders.<\/p>\n<p>The NCSC said that moving toward phishing-resistant authentication could reduce a major cause of cyber compromise, particularly in services that rely on user login credentials.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>The UK\u2019s National Cyber Security Centre (NCSC) is recommending passkeys as the default authentication method for businesses to offer consumers, citing industry progress that now makes them a more secure and user-friendly alternative to passwords. In a blog post published this week, the agency said passkeys can now be recommended to both the public and businesses as a primary authentication method. \u201cPasskeys should now be&#8230; <\/p>\n<p class=\"more\"><a class=\"more-link\" href=\"https:\/\/newestek.com\/?p=16134\">Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-16134","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/16134","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=16134"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/16134\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=16134"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=16134"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=16134"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}