GCHQ cyber agency urges millions to switch from passwords to passkeys

The UK’s cyber security authority has announced that passkeys should now replace passwords as the default way consumers sign in to online services, marking a significant shift in long-standing digital security practice.

Guidance published during Day Two of CYBERUK in Glasgow by the National Cyber Security Centre, part of GCHQ, states that passkeys are ready for widespread adoption and should become the preferred login method wherever available. The decision reflects growing concern among cyber security officials that passwords are no longer sufficiently resilient against modern cyber threats.

Passkeys allow users to authenticate access to accounts through their device, typically using biometrics or a secure unlock method, rather than entering memorised credentials. Because authentication is tied to a user’s device and the legitimate website domain, they are far harder to intercept or reuse than traditional passwords and are resistant to phishing attacks. A technical assessment released alongside the announcement found passkeys are at least as secure as the strongest passwords used together with two step verification, and in most cases provide stronger protection.

The NCSC says the majority of cyber incidents affecting individuals begin with compromised login details, making improvements to authentication practices one of the most effective ways to strengthen national cyber resilience. Officials also argue that passkeys remove the long-standing usability burden associated with creating and remembering complex passwords, reducing the likelihood that users repeat credentials across multiple services.

Jonathon Ellison, Director for National Resilience at the NCSC, said: “Adopting passkeys wherever you can is a strong step towards a safer, simpler login experience and I am pleased that we can now support uptake.

The headaches that remembering passwords have caused us for decades no longer need to be a part of logging in where users migrate to passkeys – they are a user-friendly alternative which provide stronger overall resilience.

As we aim to accelerate the UK’s cyber defences at scale, moving to passkeys is something all of us can do to improve the security of everyday digital services and be prepared for modern and future cyber threats.”

A growing number of major technology platforms already support passkeys, including Google, eBay and PayPal. According to Google, the UK is currently among the leading adopters globally, with more than half of active users of its services having registered at least one passkey.

The NCSC had previously stopped short of recommending passkeys as the default authentication option because of technical and implementation challenges across industry. Officials now say improvements in compatibility and deployment mean the technology can be confidently promoted to consumers and organisations alike. The centre is encouraging service providers to offer passkeys as their primary login option wherever possible.

Where passkeys are not yet available, the NCSC continues to advise individuals to use password managers to generate strong credentials and to enable two step verification. 

The government has also confirmed plans to introduce passkey authentication across its own digital services as an alternative to SMS-based verification, a move expected to improve account security while reducing operating costs by several million pounds annually.