UK Cybersecurity Agency Shifts to Support Passkeys, NCSC Advises Public to Gradually Say Goodbye to Traditional Passwords
The UK government's cybersecurity technology leadership agency, the National Cyber Security Centre (NCSC) under the Government Communications Headquarters (GCHQ), recently updated its official guidance to formally recommend that consumers prioritize "Passkeys" over traditional passwords as the preferred login method for various digital services. This statement was made public last Thursday, marking a significant shift in the UK government's stance on identity authentication technology.
Reports indicate that the NCSC's explicit support for Passkeys is closely related to the progress made in related technologies and the ecosystem over the past year. Last year, while the NCSC was already paying attention to this scheme, it did not formally endorse its promotion due to several key obstacles at the implementation level. Now, with the gradual improvement of supporting capabilities, the NCSC believes that Passkeys are ready for public promotion and positions them as a more secure and user-friendly login method. The agency also calls on businesses to set Passkeys as the default authentication option offered to consumers.
Jonathan Ellison, NCSC's National Resilience Affairs Director, stated that adopting Passkeys when conditions permit is an important step towards a "safer and simpler" login experience. He pointed out that users have long been troubled by remembering and managing passwords, and as users gradually shift to Passkeys, these problems are no longer an unavoidable part of online login processes. Ellison also emphasized that Passkeys are not only easier to use but also provide stronger overall security resilience. In the context of the UK's desire to significantly enhance national cyber defense capabilities, promoting Passkeys will be a practical measure for the public to improve the security of their daily digital services and address modern and future cyber threats.
From a practical application perspective, although Passkeys are officially recognized as a stronger security solution for the general public, their current popularity is still far behind traditional passwords and they cannot completely replace them in the short term. For websites and online services that do not yet support Passkeys, the current official recommendation still includes: using password managers to generate strong passwords and enabling two-factor authentication simultaneously to improve account security.
In addition, the UK government stated last year that it would gradually introduce Passkeys into its digital public services as one of the alternatives to SMS verification code verification mechanisms. The UK side expects this adjustment to save millions of pounds in expenditure each year.