NCSC: Make Passkeys Default
- Britain's National Cyber Security Centre said passkeys should become the default consumer sign-in method. - The agency argued passkeys remove whole classes of phishing and credential‑theft attacks while improving usability. - The guidance was published April 23, 2026, urging platforms to adopt passkeys as the default option. (ncsc.gov.uk)
A passkey is a device-based login, usually unlocked with your face, fingerprint, or PIN, and Britain’s cyber agency wants it to become the default way consumers sign in. (ncsc.gov.uk) The National Cyber Security Centre published that recommendation on April 23, 2026, saying passkeys are now mature enough for businesses to offer as the standard consumer sign-in option. The agency said it had held back from endorsing them a year earlier because of implementation problems. (ncsc.gov.uk) Passkeys work with public-key cryptography: your device keeps a private key, and the service stores only a matching public key. That means there is no reusable password for a fake site to steal and no password database for attackers to reuse elsewhere. (ncsc.gov.uk) The NCSC said passkeys block whole classes of attacks that still work against passwords and many common two-step logins. In a separate technical note, it said passwords plus SMS codes, email codes, app-generated one-time codes, and push approvals are all still vulnerable to phishing. (ncsc.gov.uk 1) (ncsc.gov.uk 2) The agency’s position marks a shift from January 2025, when it said passkeys were “the future” but still flagged rollout problems around recovery, cross-device use, and ecosystem support. Its new guidance says industry progress has moved those obstacles far enough for a public recommendation. (ncsc.gov.uk 1) (ncsc.gov.uk 2) The push also lines up with a broader government move in Britain. Earlier this week, the government said it would roll out passkey technology across digital services later in 2026 and replace SMS-based verification in those systems. (ncsc.gov.uk) Industry groups have been making the same case to service providers. The FIDO Alliance said passkeys are the only practical phishing-resistant option for consumers today, but it also warned that forcing an immediate switch can create user friction and account-recovery problems if companies handle the transition badly. (fidoalliance.org) For consumers, the near-term change is simple: more sites are likely to start presenting “sign in with a passkey” first instead of treating it as an advanced setting. For platforms, the NCSC’s message is that passwords should stop being the default they fall back on. (ncsc.gov.uk)
