{"id":7915,"date":"2026-04-23T13:08:39","date_gmt":"2026-04-23T13:08:39","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=7915"},"modified":"2026-04-23T13:08:39","modified_gmt":"2026-04-23T13:08:39","slug":"offer-customers-passkeys-by-default-uks-ncsc-tells-enterprises","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=7915","title":{"rendered":"Offer customers passkeys by default, UK\u2019s NCSC tells enterprises"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>The UK\u2019s National Cyber Security Centre (NCSC) is recommending passkeys as the default authentication method for businesses to offer consumers, citing industry progress that now makes them a more secure and user-friendly alternative to passwords.<\/p>\n<p>In a blog post published this week, the agency said passkeys can now be recommended to both the public and businesses as a primary authentication method.<\/p>\n<p>\u201cPasskeys should now be consumers\u2019 first choice of login,\u201d the UK cybersecurity authority <a href=\"https:\/\/www.ncsc.gov.uk\/news\/ncsc-leave-passwords-in-the-past-passkeys-are-the-future\">said in a blog post<\/a>, adding that passwords are \u201cno longer resilient enough for the contemporary world.\u201d<\/p>\n<p>\u201cPasskeys are a newer method for logging into online accounts which do much of the heavy lifting for users, only requiring user approval rather than needing to input a password. This makes passkeys quicker and easier to use and harder for cyber attackers to compromise,\u201d the NCSC added in the blog.<\/p>\n<p>The agency said passkeys should be used wherever supported, describing them as resistant to phishing and eliminating risks associated with password reuse.<\/p>\n<h2 class=\"wp-block-heading\">Focus on phishing-resistant authentication<\/h2>\n<p>The guidance is based on the agency\u2019s assessment of how authentication methods perform against real-world attacks.<\/p>\n<p>The NCSC said its analysis examines common techniques, including phishing, credential reuse, and session hijacking, and evaluates how credentials are exposed across their lifecycle, from creation and storage to use.<\/p>\n<p>\u201cPasskeys are resistant to phishing attacks and remove the risks associated with password reuse,\u201d the agency said.<\/p>\n<p>In its accompanying <a href=\"https:\/\/www.ncsc.gov.uk\/paper\/traditional-user-and-fido2-credentials-personal-use\" target=\"_blank\" rel=\"noopener\">technical paper<\/a>, the NCSC said traditional authentication methods, including passwords combined with one-time codes, remain \u201cinherently phishable.\u201d<\/p>\n<p>By contrast, FIDO2-based credentials such as passkeys are \u201cas secure or more secure than traditional MFA against all common credential attacks observed in the wild,\u201d the agency said.<\/p>\n<p>However, NCSC cautioned in the technical paper that \u201cwhile much of the analysis in this paper also applies to enterprise authentication scenarios (for example staff authenticating to a Single Sign On), the different threat model and usage scenarios mean this paper is not intended for enterprise risk assessment.\u201d<\/p>\n<h2 class=\"wp-block-heading\">How passkeys change the attack model<\/h2>\n<p>The NCSC added that passkeys reduce risk by removing reliance on shared secrets and binding authentication to the legitimate service.<\/p>\n<p>According to the agency, this prevents credential reuse and relay attacks, as authentication cannot be intercepted and reused by an attacker.<\/p>\n<p>Passkeys use cryptographic key pairs stored on a user\u2019s device, with authentication tied to device-based verification such as biometrics or PINs, the agency said.<\/p>\n<h2 class=\"wp-block-heading\">Shift in user-level authentication<\/h2>\n<p>For organizations that provide online services to customers, the guidance signals a shift in how authentication is implemented at the user interface level.<\/p>\n<p>\u201cThis is a fundamental architectural change, not an incremental authentication upgrade,\u201d said Madelein van der Hout, senior analyst at Forrester. \u201cIt moves organizations beyond the passwords-plus-MFA paradigm toward a phishing-resistant foundation.\u201d<\/p>\n<p>Van der Hout said passkeys eliminate risks associated with credential theft by using device-bound cryptographic authentication rather than shared secrets.<\/p>\n<p>\u201cOrganizations that treat this as a credential swap will underinvest,\u201d she said. \u201cThose who treat it as a broader identity modernization opportunity will get ahead.\u201d<\/p>\n<p>The NCSC said organizations should also consider how authentication is implemented across the full user journey, including account recovery and fallback mechanisms.<\/p>\n<p>While passkeys reduce reliance on passwords, the agency noted that weaker processes, such as password resets or account recovery flows, can still introduce risk if not properly secured.<\/p>\n<h2 class=\"wp-block-heading\">Adoption challenges remain<\/h2>\n<p>The NCSC said passkeys are not yet universally supported and recommended password managers and multi-factor authentication where passkeys cannot be used.<\/p>\n<p>\u201cWhere a particular service does not support passkeys, the NCSC\u2019s advice to consumers is to use a password manager to create stronger passwords and keep using two-step verification,\u201d NCSC noted in the blog post.<\/p>\n<p>Van der Hout said implementation challenges are likely, particularly for organizations operating across multiple platforms and user environments.<\/p>\n<p>\u201cLegacy systems and fragmented identity environments present significant obstacles,\u201d she said.<\/p>\n<p>She added that organizations must also consider non-human identities. \u201cAny passkey strategy that ignores the machine identity layer will create new security gaps,\u201d she said.<\/p>\n<p>Device requirements and account recovery processes may also affect how passkeys are deployed, she said.<\/p>\n<h2 class=\"wp-block-heading\">Hybrid model is expected during the transition<\/h2>\n<p>A full transition away from passwords is unlikely in the near term, analysts believe.<\/p>\n<p>\u201cExpect a hybrid model lasting several years,\u201d van der Hout said, as organizations continue to support both passkeys and traditional authentication methods.<\/p>\n<p>During this period, organizations will need to manage authentication across multiple login options while ensuring that fallback methods do not weaken overall security, she added<\/p>\n<p>The NCSC similarly advised maintaining strong authentication practices where passkeys are not yet available.<\/p>\n<h2 class=\"wp-block-heading\">Policy signal strengthens shift toward passwordless login<\/h2>\n<p>The guidance adds to broader efforts to move away from passwords in consumer authentication.<\/p>\n<p>\u201cThe guidance matters because it gives security leaders leverage,\u201d van der Hout said, including in discussions with vendors and internal stakeholders.<\/p>\n<p>The NCSC said that moving toward phishing-resistant authentication could reduce a major cause of cyber compromise, particularly in services that rely on user login credentials.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>The UK\u2019s National Cyber Security Centre (NCSC) is recommending passkeys as the default authentication method for businesses to offer consumers, citing industry progress that now makes them a more secure and user-friendly alternative to passwords. In a blog post published this week, the agency said passkeys can now be recommended to both the public and [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":7916,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-7915","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7915"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=7915"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7915\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/7916"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=7915"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=7915"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=7915"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}