Overview
- NCSC, which published a technical report Thursday at its CYBERUK conference, now recommends passkeys over passwords and says they are at least as secure as password plus two‑step verification.
- Businesses are urged to offer passkeys as the default option for customers, though the agency is not yet recommending them for internal business applications.
- Passkeys use a public‑private key pair stored on a user’s device and unlocked with a PIN or biometrics, so data stolen from a breached site reveals only a public key that does not grant access.
- Adoption is growing as major providers support the method, with Google reporting that over half of its active UK users have registered a passkey and Apple, Microsoft, PayPal and eBay offering the option.
- Where passkeys are not available, the agency advises using a password manager and two‑step verification, and it expects a phased rollout across consumer services, including banks over the next three to five years, which could cut phishing and reduce SMS security costs.