UK NCSC Endorses Passkeys as Default Authentication Method

Severity: Low (Score: 27.9)

Sources: www.ncsc.gov.uk, Infosecurity-Magazine, Ncsc.Uk, Csoonline, Theregister

Summary

The UK's National Cyber Security Centre (NCSC) has officially recommended that businesses adopt passkeys as the default authentication method for consumers, marking a significant shift away from traditional passwords. This guidance, announced on April 23, 2026, asserts that passkeys are more secure and user-friendly, being resistant to phishing and credential reuse. The NCSC's endorsement follows a year of industry improvements, including better support from major platforms like Google and Microsoft. The agency's analysis indicates that passkeys provide a stronger defense against common cyber threats compared to passwords and two-step verification methods. While passkeys are encouraged wherever available, the NCSC still advises using passwords combined with two-step verification in scenarios where passkeys are not supported. The move aims to enhance the UK's overall cybersecurity posture amid rising cyber threats. The NCSC plans to provide further guidance for businesses on implementing passkeys effectively. Key Points: • NCSC recommends passkeys as the default authentication method for consumers. • Passkeys are more secure and user-friendly compared to traditional passwords. • Major platforms like Google and Microsoft have improved passkey support.

Key Entities

• Phishing (attack_type)
• T1566 - Phishing (mitre_attack)
• Fido2 (platform)
• WebAuthn (platform)