The UK’s National Cyber Security Centre (NSCS) has fully backed passkeys, stating that it should be “should now be consumers’ first choice of login”.
This follows a shift over the last 12 months which saw the agency work closely the Fast IDentity Online (FIDO) alliance, observe positive progress across the passkey ecosystem and see success in the use of passkeys within the National Health Service (NHS).
The NCSC no longer recommends passwords, unless to be used where passkeys are not available on a digital service.
Just last year, the agency outlined a number of challenges that remained which tended to center on inconsistencies across the passkey ecosystem including with multiple ‘flavours’ of passkeys available, the different terms used to describe passkeys which could cause confusion and a lack of consensus on when passkeys should be used.
NCSC said progress within industry means they can now be recommended to the public as the more secure and user-friendly login method and to businesses as the default authentication option to offer consumers.
For businesses the authentication guidance is to use single sign on (SSO) wherever possible. Now the NCSC has rolled out its position on passkeys to consumers it is expected to provide more guidance to business in the future.
The FIDO Alliance is an industry consortium that develops open standards to reduce the world’s reliance on passwords and improve online authentication security. These standards include FIDO2 and WebAuthn which allow users to sign in using biometrics, security keys, or device‑based authentication instead of passwords.
In 2025, the UK government released plans to roll our passkeys across all digital services.
Google made passkeys the default sign-in option for all users in 2023. Meanwhile, Apple made the move to passkeys soon after in 2024. Microsoft made passkeys available to all consumer accounts in 2025 and said they would do a “much better job” than passwords at protecting accounts from malicious attacks.
