The UK's National Cyber Security Centre (NCSC) has officially recommended passkeys as the default authentication method for consumer-facing services, declaring traditional passwords no longer resilient enough for modern threats. The agency's technical analysis found FIDO2-based passkeys resistant to phishing, credential reuse, and relay attacks — outperforming passwords combined with one-time codes. Passkeys use device-bound cryptographic key pairs verified via biometrics or PINs, eliminating shared secrets. Analysts note this represents a fundamental architectural shift rather than a simple credential swap, and warn that legacy systems, fragmented identity environments, and account recovery flows remain challenges. A hybrid model supporting both passkeys and traditional methods is expected for several years during the transition.
Sort: