UK NCSC recommends passkeys over passwords

Passwords are finally losing official backing. That is the real news here. At CYBERUK 2026 in Glasgow, the UK’s National Cyber Security Centre said it will now recommend passkeys wherever a service supports them, and two-step verification where passkeys are not available. ### What changed? The NCSC had been cautiously positive on passkeys before, but not fully endorsing them. Now it has crossed that line. In its new guidance and blog post, it says passwords are no longer resilient enough for modern threats and that passkeys should become the default sign-in option offered to consumers. ### What is a passkey, exactly? (ncsc.gov.uk) A passkey is a FIDO2 credential stored and managed by your device — usually your phone, laptop, or password manager ecosystem. Instead of typing a secret that can be copied, reused, or tricked out of you, you approve a login with the device you already control, often with Face ID, a fingerprint, or a PIN. (ncsc.gov.uk) ### Why does NCSC think passkeys are better? Basically, passwords fail in the same boring ways over and over. People reuse them. Attackers phish them. SMS and email codes can still be tricked away. The NCSC’s new analysis says all traditional MFA methods are inherently phishable, while FIDO2 credentials — including passkeys — are as secure or more secure than traditional MFA against the common credential attacks seen in the wild. (ncsc.gov.uk) ### Does that mean passwords are dead? Not tomorrow. The NCSC is pretty explicit that this will be a gradual refresh of guidance, not a one-day flip. If a service does not support passkeys, the fallback advice is still to use two-step verification. So this is less “burn the password field tonight” and more “stop designing the future around it.” (ncsc.gov.uk) ### Why now? Because the implementation problems that made passkeys awkward a year ago have eased. The NCSC says it spent time working through technical and sociotechnical issues with websites, app developers, vendors, and the FIDO Alliance. In other words — the ecosystem got good enough that the security upside now outweighs the remaining friction. (ncsc.gov.uk) ### Is the UK doing this itself? No — it is also using its own services as a test bed. On day one of CYBERUK, the government said GOV.UK services will begin rolling out passkey technology later in 2026 as an alternative to SMS-based verification. The pitch is security plus cost: fewer phishable logins, faster sign-ins, and savings of several million pounds a year. (ncsc.gov.uk) ### Why is SMS specifically falling out of favor? Because SMS was always a compromise. It added a second factor, which helped, but the code still travels through a system that can be intercepted, redirected, or socially engineered around. Passkeys keep the credential on the device and tie the login to the real site, which is why phishing gets much harder. (ncsc.gov.uk) ### So what should people and companies do? If you are a user, choose a passkey when a service offers one. If you run a service, offer passkeys by default and keep 2SV for the long tail of users and systems that are not ready yet. The NCSC’s message is simple — the safest mass-market login is no longer “better passwords.” It is moving beyond passwords. (ncsc.gov.uk 1) (ncsc.gov.uk 2)