The UK’s National Cyber Security Centre (NCSC) announced on Thursday that it is “overhauling decades of security practice” by officially recommending passkeys as the most secure method for logging into online accounts, replacing traditional passwords, according to BBC.

Passkeys are a form of digital authentication tied to a user’s account, with a unique key generated for each website or app. Unlike passwords, users do not need to remember complex combinations of letters, numbers, and symbols. Passkeys use cryptography to perform authentication checks at the device level, significantly reducing the risk of hacking and human error.

The NCSC’s guidance comes against a backdrop of rising data breaches. For years, the agency has warned the public against using easily guessed passwords such as “123456” or pet names, and against reusing the same password across multiple sites.

Platforms including Apple, Google, and X (formerly Twitter) already allow users to authenticate with passkeys instead of passwords. When a user attempts to log in, the system performs an encrypted verification on the device — typically through fingerprint, facial recognition, or a device PIN — eliminating the need to type in a password.

While the NCSC has expressed strong support for passkeys, some security experts caution that they are “not a silver bullet.” They note that the security of passkeys still depends on the security of the user’s device itself, and that lost or damaged devices could create access difficulties.

In recent years, the adoption of password managers and multi-factor authentication (MFA) has grown steadily. However, the NCSC believes passkeys represent the future direction of identity authentication. The agency advises users to combine passkey adoption with vigilance — regularly checking account activity and enabling all available security features.

Sources: BBC News