Passkeys and passwords – what you need to know about NCSC’s guidance

Recent guidance from the NCSC has suggested passkeys should be the default authentication for consumers, but why are they better than passwords?  

Released in April, the government’s National Cyber Security Centre (NCSC)’s guidance couldn’t have been much clearer: “passkeys should now be consumers’ first choice of login across all digital services”, and passwords should be left in the past. 

How Does a Passkey Work?

A passkey is a password-free method of authentication stored on individual devices that's unlocked using device PINs or biometrics, like a fingerprint or face ID to authenticate users. As they’re phishing resistant and more difficult to exploit than a password, using them is more secure; users do not need to utilise a password manager or create a memorable password that could be simple to crack should their accounts be targeted by cyber criminals.  

But are passkeys a legitimately stronger, more secure option for authentication, and why has this guidance been released?

Why Has the NCSC Said This?

Advice such as this shouldn’t come as a surprise. The NCSC has direct initiatives to continually drive better security postures and minimise threats, and this guidance is very much in line with those goals.  

The current threat landscape only exacerbates the importance of advice such as this. We’re in a time where the risks faced by consumers, organisations and even cyber security providers like PureCyber are rapidly evolving thanks to widespread adoption of AI, making it easier to exploit almost any account. For instance, we’ve seen the wider perception of multi-factor authentication as an impenetrable barrier change over the last few years, with targeted attacks rising and multi-factor token theft increasing. That makes public guidance vital on what authentication methods to use: the NCSC wants the public to ensure they are using the most secure options to protect themselves, and given the alternatives, passwords now fall into the category of ‘less secure’. 

It’s important to note that passkeys have been around for 10 years, so this guidance is not simply jumping on a popular, increasingly-used form of authentication for the sake of it. Passkey adoption also actively fixes some of the flaws that come with two-factor authentication or password use because:

• they’re cryptographically secure,  

• they’re harder to exploit, 

• they’re faster and more convenient than inputting passwords, 

• and they’re phishing resistant.  

Are Passkeys a Better Option?

Yes, is the short answer. One criticism often aimed at passkeys as a form of authentication is that they are device specific, and lack the synchronisation to work across multiple devices. However, this is changing; passkeys can be stored in password managers, for instance, and Apple allows passkey synchronisation across its devices for ease of access between Macs and iPhones, making them a more legitimate option.  

Passkeys have certainly become more commonplace and thus more accessible as a viable authentication option, but as of yet, they aren’t as common a method as passwords, which makes the “where available” part of the NCSC’s guidance very important. For example, the NCSC’s own authentication for their login portal doesn’t offer passkeys as an option at this stage, which is something they’ll likely address in the near future.

PureCyber’s Advice

Our own guidance mirrors the NCSC; use passkeys wherever you can and don’t avoid them! As a form of authentication, they’re harder for cyber criminals to exploit and act as an enhanced form of digital security. Passwords certainly have their place, but passkeys represent a more secure alternative that adds a layer of protection that is much harder to circumvent.  

Implementing them for the average consumer where available is as potentially simple as using a fingerprint scanner or Face ID option on your smartphone, but adoption for applications and systems can make matters more complex. If you or your organisation is building, designing or maintaining an application and wishes to support passkey use, please contact our experts for advice on the best way to implement them.