UK pioneering global move away from passwords
Image by PopTika / copyright Shutterstock
Announced on the first day of the government’s flagship cyber security event, CYBERUK, the move to implement passkey technology for the government’s GOV.UK services marks a major step forward in strengthening the nation’s digital security.
Passkeys are unique digital keys that are today tied to specific devices, such as a phone or a laptop, that help users log in safely without needing an additional text message or other code. When a user logs in to a website or app, their device uses this digital key to prove the user’s identity without needing to send a code to a secondary device or to receive user input.
This method is more secure because the key remains stored on the device and cannot be easily intercepted or stolen, making them phishing-resistant by design. As a result, even if someone attempts to steal a password or intercept a code, they would be unable to gain access without the physical device that contains the passkey.
The NCSC considers passkey adoption as vital for transforming cyber resilience at a national scale, and the UK is already leading internationally with the NHS becoming one of the first government organisations in the world to offer passkeys to users.
In addition to enhanced security and cost savings, passkeys offer users a faster login experience, saving approximately one minute per login when compared to entering a username, password, and SMS code.
AI and Digital Government Minister Feryal Clark said: “The rollout of passkeys across GOV.UK services marks another major step forward in strengthening the UK’s digital defences while improving the user experience for millions.
“Replacing older methods like SMS verification with modern, secure passkeys will make it quicker and easier for people to access essential services — without needing to remember complex passwords or wait for text messages.
“This shift will not only save users valuable time when interacting with government online, but it will reduce fraud and phishing risks that damage our economic growth.”
NCSC Chief Technical Officer Ollie Whitehouse said: “The NCSC has a stated objective for the UK to move beyond passwords in favour of passkeys, as they are secure against common cyber threats such as phishing and credential stuffing.
“By adopting passkey technology, government is not only leading by example by strengthening the security of its services but also making it easier and faster for citizens to access them.
“We strongly advise all organisations to implement passkeys wherever possible to enhance security, provide users with faster, frictionless logins and to save significant costs on SMS authentication.”
The NCSC has also today announced that it has joined the FIDO Alliance, the global body shaping the future of password-free authentication. This step will allow the UK to play an active role in the evolution of passkey standards.
Executive Director and CEO of the FIDO Alliance Andrew Shikiar said: “The UK government’s adoption of passkeys across its digital services reflects a profound decision that stands to protect UK citizens while providing the government with greater security and operational efficiency. By prioritising modern, phishing-resistant authentication, the UK is setting a strong example for both the public and private sectors in the UK and beyond.
“We’re also very pleased that the NCSC has joined the FIDO Alliance, which allows agencies across the UK government to collaborate with other thought leaders in the Alliance to advance the development and deployment of foundational technologies that will strengthen our collective cyber resilience.”
As described in a recent blog, the NCSC views passkeys as the future of online authentication, and is working with vendors and organisations to make passkeys widely available as an option for users.