The UK's National Cyber Security Centre (NCSC) has officially recommended that people stop using traditional passwords and instead adopt passkeys for online accounts, calling it a long-overdue security upgrade. But what exactly are passkeys, and how do they work?
Passwords have been the standard for decades, but they are often weak, reused, or stolen in data breaches. Passkeys aim to solve these problems by using cryptographic technology built into modern devices.
What Are Passkeys?
A passkey is a digital credential linked to your account and unique to each website or app. Instead of typing a code, you authenticate using your device's built-in security features like fingerprint scanning, facial recognition, or a PIN. The passkey never leaves your device, making it resistant to phishing and theft.
How Do They Work?
Passkeys rely on public key cryptography. Your device generates a pair of keys: a private key stored securely on your device and a public key shared with the service you're logging into. When you sign in, your device proves it has the private key by performing a biometric or PIN check. Only the verification result is exchanged, not your personal data.
"These physical security keys are totally resistant to phishing attempts and can't be intercepted or stolen by remote attackers," says Niall McConachie of cybersecurity firm Yubico.
Why the Change?
The NCSC says passkeys reduce vulnerabilities tied to human error and data breaches. Jonathan Ellison, NCSC director for national resilience, calls them "a user-friendly alternative which provide stronger overall resilience," adding they could relieve "the headaches that remembering passwords have caused us for decades."
Are Passkeys Perfect?
Not entirely. Experts caution they are "not a silver bullet." Losing your device can complicate access, and not all platforms support passkeys yet. In those cases, the NCSC recommends using a password manager and multi-factor authentication.
Nevertheless, major tech companies like Apple, Google, and Microsoft support passkeys, and the UK government has started adopting them for digital services. As Daniel Card of BCS, the Chartered Institute for IT, notes: "Moving from passwords to password managers, app-based MFA, and now passkeys is a step change in reducing risk."
So while passkeys may not wipe out all security woes, they represent a significant leap forward in protecting our digital lives.