Britain’s top cyber agency is urging members of the public to replace password logins with a more secure ‘passkey’ system to access online services.
Security chiefs at the National Cyber Security Centre say the passkey system can be used to authenticate users’ identities without the need for traditional passwords, in a significant boost to tackling online phishing and user credential theft.
The agency announced it was on a pathway to recommend passkeys last year but had to overcome a number of ‘implementation’ hurdles.
Those included not being able to easily move passkeys between different ecosystems, such as Apple and Android, but that has been resolved.
Now, the standard – developed by the FIDO Alliance, a non-profit industry consortium formed in 2012 to address the lack of interoperability between strong authentication devices – has finally been officially endorsed by the NCSC.
At the moment, passkeys are recommended for consumers only, as not all businesses will be in a position to quickly adopt the standard owing to legacy IT challenges.
However, security experts say that the passkey system – based on complex cryptography – will be as secure, if not more so, than a password combined with two-factor authentication, such as numerical code sent by text message or email.
In a technical briefing yesterday at the CYBERUK conference, officials conceded that communicating how the new system works will be a challenge. However, they shared research which showed many NHS staff did not need the complexity of the system to be ‘explained’. They just wanted something that was ‘safe’ and that they could ‘trust’.
Microsoft has announced that anyone who signs up for a new Hotmail account will set up a passkey rather than a password. In time, the tech giant will look to phase out passwords for users altogether. A Norwegian bank has also become one of the first globally to adopt the new standard.
Google, eBay and PayPal also support passkeys and new data from Google shows the UK already leads global adoption of the standard, with just over 50% of active Google services users in the UK having one registered.
NCSC has not put a timeline on how long it will before passkeys are universal, but technical staff believe in time ‘passwordless’ access to online services will become the norm.
Jonathon Ellison, director for national resilience at the NCSC, said: “Adopting passkeys wherever you can is a strong step towards a safer, simpler login experience and I am pleased that we can now support uptake.
“The headaches that remembering passwords have caused us for decades no longer need to be a part of logging in where users migrate to passkeys – they are a user-friendly alternative which provide stronger overall resilience.”
How the technology works
The NCSC has published an 18-page paper explaining how the technology works ‘under the hood’. While the underlying mechanics are complex, the passkey system relies on generating two linked cryptographic keys — one private, stored on the user’s device, and one public, held by the online service they’re logging into. When the user signs in, their device proves it holds the correct private key without ever revealing it to the service provider.
Losing a device doesn’t necessarily mean losing access to your accounts. Passkeys are typically synced across a user’s ecosystem – such as Apple’s iCloud Keychain, Google Password Manager, or a third-party credential manager like 1Password or LastPass – so losing one device doesn’t lock a user out as long as they have another device linked to the same account. If a user loses all their devices, they can recover access by going through the service’s account recovery process.