Developers of enterprise apps and websites will need to get to grips with passkeys: The UK's National Cyber Security Center the agency recommends them for their resistance to phishing and credential reuse, and warns that passwords are inherently vulnerable.
The UK’s National Cyber Security Centre (NCSC) is recommending passkeys as the default authentication method for businesses to offer consumers, citing industry progress that now makes them a more secure and user-friendly alternative to passwords.
In a blog post published this week, the agency said passkeys can now be recommended to both the public and businesses as a primary authentication method.
“Passkeys should now be consumers’ first choice of login,” the UK cybersecurity authority said in a blog post, adding that passwords are “no longer resilient enough for the contemporary world.”
“Passkeys are a newer method for logging into online accounts which do much of the heavy lifting for users, only requiring user approval rather than needing to input a password. This makes passkeys quicker and easier to use and harder for cyber attackers to compromise,” the NCSC added in the blog.
The agency said passkeys should be used wherever supported, describing them as resistant to phishing and eliminating risks associated with password reuse.
Focus on phishing-resistant authentication
The guidance is based on the agency’s assessment of how authentication methods perform against real-world attacks.
The NCSC said its analysis examines common techniques, including phishing, credential reuse, and session hijacking, and evaluates how credentials are exposed across their lifecycle, from creation and storage to use.
“Passkeys are resistant to phishing attacks and remove the risks associated with password reuse,” the agency said.
In its accompanying technical paper, the NCSC said traditional authentication methods, including passwords combined with one-time codes, remain “inherently phishable.”
By contrast, FIDO2-based credentials such as passkeys are “as secure or more secure than traditional MFA against all common credential attacks observed in the wild,” the agency said.
However, NCSC cautioned in the technical paper that “while much of the analysis in this paper also applies to enterprise authentication scenarios (for example staff authenticating to a Single Sign On), the different threat model and usage scenarios mean this paper is not intended for enterprise risk assessment.”
How passkeys change the attack model
The NCSC added that passkeys reduce risk by removing reliance on shared secrets and binding authentication to the legitimate service.
According to the agency, this prevents credential reuse and relay attacks, as authentication cannot be intercepted and reused by an attacker.
Passkeys use cryptographic key pairs stored on a user’s device, with authentication tied to device-based verification such as biometrics or PINs, the agency said.
Shift in user-level authentication
For organizations that provide online services to customers, the guidance signals a shift in how authentication is implemented at the user interface level.
“This is a fundamental architectural change, not an incremental authentication upgrade,” said Madelein van der Hout, senior analyst at Forrester. “It moves organizations beyond the passwords-plus-MFA paradigm toward a phishing-resistant foundation.”
Van der Hout said passkeys eliminate risks associated with credential theft by using device-bound cryptographic authentication rather than shared secrets.
“Organizations that treat this as a credential swap will underinvest,” she said. “Those who treat it as a broader identity modernization opportunity will get ahead.”
The NCSC said organizations should also consider how authentication is implemented across the full user journey, including account recovery and fallback mechanisms.
While passkeys reduce reliance on passwords, the agency noted that weaker processes, such as password resets or account recovery flows, can still introduce risk if not properly secured.
Adoption challenges remain
The NCSC said passkeys are not yet universally supported and recommended password managers and multi-factor authentication where passkeys cannot be used.
“Where a particular service does not support passkeys, the NCSC’s advice to consumers is to use a password manager to create stronger passwords and keep using two-step verification,” NCSC noted in the blog post.
Van der Hout said implementation challenges are likely, particularly for organizations operating across multiple platforms and user environments.
“Legacy systems and fragmented identity environments present significant obstacles,” she said.
She added that organizations must also consider non-human identities. “Any passkey strategy that ignores the machine identity layer will create new security gaps,” she said.
Device requirements and account recovery processes may also affect how passkeys are deployed, she said.
Hybrid model is expected during the transition
A full transition away from passwords is unlikely in the near term, analysts believe.
“Expect a hybrid model lasting several years,” van der Hout said, as organizations continue to support both passkeys and traditional authentication methods.
During this period, organizations will need to manage authentication across multiple login options while ensuring that fallback methods do not weaken overall security, she added
The NCSC similarly advised maintaining strong authentication practices where passkeys are not yet available.
Policy signal strengthens shift toward passwordless login
The guidance adds to broader efforts to move away from passwords in consumer authentication.
“The guidance matters because it gives security leaders leverage,” van der Hout said, including in discussions with vendors and internal stakeholders.
The NCSC said that moving toward phishing-resistant authentication could reduce a major cause of cyber compromise, particularly in services that rely on user login credentials.
The article originally appeared in CSO.
