UK Cyber Agency Advocates for Passkey Adoption

The UK’s National Cyber Security Centre (NCSC) is advising the public to move away from traditional passwords and embrace passkeys, a more secure and convenient way to verify identity online. This shift is prompted by the increasing threat of cyberattacks linked to compromised passwords.

Why the Change? The Vulnerability of Passwords

The NCSC’s decision marks a significant change in decades of security guidance. The agency states that the majority of cybercrime originates from compromised user logins – passwords that are frequently reused across multiple platforms, making them attractive targets for criminals.

What are Passkeys?

Passkeys are described as ‘digital stamps’ and offer a compelling alternative to passwords. Unlike passwords, they don’t require memorization. They are generated and securely stored on devices like smartphones, computers, and tablets.

How Passkeys Work

Authentication with passkeys typically involves biometric data, such as fingerprints or facial recognition, or a device’s PIN, providing a secure and streamlined login experience. This makes logging in faster and more secure.

Enhanced Security Against Hacking

The core strength of passkeys lies in their resistance to common hacking techniques. Even if a website using passkeys is breached, attackers only gain access to ‘public’ keys, which are useless without the corresponding ‘private’ key stored securely on the user’s device.

Passkey Implementation and Benefits

The NCSC highlights that passkeys can save users up to a minute each time they sign in. The agency, part of GCHQ, has already implemented passkeys across several government digital services, including the National Health Service (NHS).

Cost Savings and Industry Adoption

The implementation of passkeys within the NHS has not only improved data security but also generated cost savings by eliminating the need for less secure multi-factor authentication methods like SMS codes. Major tech companies like Google, Microsoft, PayPal, and eBay have also adopted passkeys, with Google reporting over half of its UK users are already registered.

Addressing Previous Concerns

The NCSC initially hesitated to fully endorse passkeys due to concerns about early implementations. However, advancements in the technology have addressed these concerns, leading the agency to conclude that passkeys are now both secure and user-friendly.

Future Guidance and Recommendations

A forthcoming technical report from the NCSC will demonstrate that passkeys are as secure, or even more secure, than strong passwords combined with two-factor authentication. For services that don’t yet support passkeys, the NCSC recommends using password managers to create and store complex, unique passwords, alongside two-factor authentication.

Expert Commentary

Cybersecurity expert Chris Hosking from SentinelOne emphasizes that passkeys eliminate entire categories of cyberattacks. He notes that the reliance on passwords creates a systemic weakness, leading to data breaches and compromised accounts.