UK cyber chiefs say it's time to ditch passwords for passkeys - what are they?

20 hours ago

Liv McMahonTechnology reporter

Getty Images A woman with red hair is sitting on a sofa, holding her smartphone in front of her as she looks directly at its front camera.

People in the UK have been urged to start ditching passwords in favour of passkeys, where available, as a way to secure their accounts online.

Passwords have long been the default way many people set up and log in to accounts for digital services.

However, the National Cyber Security Centre (NCSC) said on Thursday it was "overhauling decades of security practice" to instead recommend passkeys as the most secure option.

Platforms including Apple, Google and X already let people use them instead of passwords, but what are passkeys, and how do they work?

The advice comes after years of warning people against using simple codes which can easily be guessed, like "123456", as well as pet names, as passwords.

Against a backdrop of rising data breaches, the NCSC has also repeated warnings against reusing the same password for different sites.

Password managers and multi-factor authentication (MFA) methods have grown in usage as a way to help strengthen and save log-in credentials.

The NCSC believes passkeys may be less vulnerable to hacks and human error, but some experts say they are still "not a silver bullet".

What are passkeys?

Like passwords, passkeys are a form of authentication to make sure it is you trying to access an account.

But unlike passwords, they do not require you to remember a code or combination of letters, numbers and symbols.

Passkeys are a piece of digital information which is tied to a user's account and unique to each site or app they use.

They use cryptography to perform checks at device-level.

And they usually work alongside tech already baked into devices like smartphones, such as Face ID and Touch ID on iPhones, and Face Unlock on Google Pixel phones.

Are passkeys the future of online security?

Google and iPhone-maker Apple are among operating system developers offering them as an alternative way users can sign into accounts.

According to the NCSC, passkeys can offer more protection because they are unique to each website you register to use them with, and there is no secret bit of information shared.

The NCSC's director for national resilience Jonathan Ellison called them "a user-friendly alternative which provide stronger overall resilience".

He added they could also help relieve "the headaches that remembering passwords have caused us for decades".

How do they work?

Passkeys are enabled by something called public key cryptography.

"Instead of you creating and remembering a shared secret, like a password, your device generates a secure key pair - one part stays on your device, and the other sits with the service you're logging into," says Daniel Card of BCS, the Chartered Institute for IT.

The process most often involves doing what you do to unlock your device - such as using built-in biometric sensors to scan your fingerprint or face, or using a pin code.

Only the fact you have completed the check - not the information itself - is exchanged.

"These physical security keys are totally resistant to phishing attempts and can't be intercepted or stolen by remote attackers, meaning only the key holder can gain access to their accounts," says Niall McConachie, regional director at cyber-security firm Yubico.

'Not a silver bullet'

The NCSC and many cyber experts believe passkeys may be at least as, if not more secure, than MFA methods such as pairing a strong password with checks to make sure it is you trying to log into an account on another device.

But Card notes, as others have previously, passkeys are "not a silver bullet".

Losing your device or access to it entirely can also make it tricky to configure passkeys.

The NCSC says it did not advocate switching to them in the past due to "implementation challenges" such as their slowed adoption and patchy support.

Lots of platforms still do not allow users to use passkeys instead of or as well as passwords.

Where they are not supported, the NCSC advises using a password manager to create strong passwords and use multiple methods of authentication

Getty Images A man sits at a desk with one hand on his laptop mouse and the other hovering over his smartphone. — Where they are not supported, the NCSC advises using a password manager to create strong passwords and use multiple methods of authentication

But according to Fido Alliance, an industry association advancing passkeys as a way to unlock a "password-less future", the tech is now supported across all major operating systems, internet browsers and by third-party providers.

And McConachie says growing support for the passkey - including with the UK Government's adoption of them across digital services last year - shows "this isn't just a niche trend".

"Moving from passwords to password managers, app-based MFA, and now passkeys is a step change in reducing risk," Card adds.

"That's why organisations like the NCSC are backing them, and why many in the security community are already adopting them wherever they're available."

Instagram denies breach after many receive emails asking to reset password

What Apple pulling Advanced Data Protection means for you

What is AI and how does it work?

A green promotional banner with black squares and rectangles forming pixels, moving in from the right. The text says: “Tech Decoded: The world’s biggest tech news in your inbox every Monday.”

Cyber-security