UK National Cyber Security Centre states Passkeys are "at least not weaker, often stronger" than traditional passwords in most scenarios
The UK National Cyber Security Centre (NCSC) has stated in its latest technical report that Passkeys are "at least not weaker, often stronger" than traditional passwords (even with two-factor authentication) in most scenarios, positioning them as the "preferred login method for various digital services" for the first time. NCSC announced at the CYBERUK conference that it will prioritize recommending Passkeys in all future official guidelines, using password + two-factor authentication only as a fallback when services do not support Passkeys.
The report points out that Passkeys are based on FIDO2 encrypted keys stored on local devices, verified through fingerprint, facial recognition, or PIN, and unlike passwords, they are not transmitted or stored over the network, making them inherently immune to phishing, credential stuffing, and brute-force attacks. Each site uses a unique key, so a single point of leakage does not affect other accounts. NCSC cited industry data indicating significant improvements in compatibility and usability over the past year, with over half of active Google users in the UK having registered at least one Passkey. Platforms like eBay, PayPal, and several large services now support Passkeys, leading the agency to no longer recommend relying on passwords when "safer alternatives are available."
Source: Public information
ABAB AI Insight
NCSC's statement marks a shift in the "password vs Passkeys" debate from a technical consensus to a national security baseline: the default assumption is that "passwords are a legacy solution, Passkeys are the new norm." After years of promoting multi-factor authentication (especially SMS/email codes), NCSC directly points out that traditional MFA is "inherently phishable," while FIDO2/Passkeys have shown significant suppression of large-scale credential theft in real-world attack samples, effectively acknowledging that "continuing to strengthen passwords" has limited marginal returns as a defensive strategy.
From a security structure perspective, Passkeys change the entire economics of attacks. The password system relies on "user memory + server-stored hashes" for security; once any part is compromised, attackers can replay or credential stuff in bulk. Passkeys lock secrets in local authenticators (phones, security chips, browsers), with servers only storing public keys, meaning that even if a server is breached, reusable login credentials cannot be obtained, and phishing sites cannot trick users into providing "stealable" passwords or codes. For attackers, the cost shifts from "bulk automated email phishing + credential stuffing" to "compromising individual devices or poisoning the supply chain," fundamentally rewriting the scale and profit model of attacks.
At the same time, this is a "usability-driven security migration." Both NCSC and industry data show that Passkeys log in much faster than passwords + secondary codes, requiring users to simply "look at the camera or press a fingerprint," without needing to remember complex characters or repeatedly copy codes and reset passwords across multiple devices, significantly reducing user resistance when companies push for safer solutions. Past security upgrades often sacrificed experience (longer passwords, more codes), but Passkeys excel in both "being safer" and "being more convenient," which is key to the rapid increase in adoption rates by governments and large platforms.
From a broader technological and governance perspective, this shift also means that the power of "identity infrastructure" is further centralized among devices and platforms: as biometrics and security keys become core authentication methods, operating system vendors, browsers, and a few large platforms gain more control over "who" and the authority to set standards. The UK government’s decision to provide a clear policy signal at this juncture is both a response to the global passwordless standard promoted by the FIDO Alliance and major tech companies, and an attempt to avoid future identity systems being completely locked down by a few private platforms through large-scale deployment in public sectors (e.g., Gov.UK, NHS). In the long run, this will redefine corporate security roadmaps: the issue will no longer be "how to manage passwords well," but "how to host and orchestrate Passkeys in a compliant, privacy-friendly manner across multiple platforms and devices."