In 2025, the National Cyber Security Centre (NCSC) has made its position clear: it’s time to move beyond passwords and embrace passkeys as the future of login security. This blog post distils the NCSC passkey advice into plain language, explaining why passwords are problematic and how passkeys promise a simpler, safer alternative. We’ll cover the problems with passwords, the current measures used to secure them, what passkeys are and how they work, why passkeys offer better anti-phishing protection than traditional multi-factor authentication (MFA), and how your organisation can implement a transition to passkeys.


The Problem with Passwords

For decades, passwords have been the primary guard for our digital accounts – yet they increasingly fail to protect us. Most cyber breaches today involve compromised passwords or other credentials. Attackers use tactics like phishing (tricking you into entering your password on a fake site) or simply guess weak passwords to hijack accounts. Far too often, people still rely on common, easily guessable passwords – “123456”, “password1”, and the like – which offer practically no security. Even otherwise strong passwords become dangerous if you reuse them across sites: a data leak at one service can give criminals the keys to all your other accounts.

Beyond security risks, passwords are a headache for users. The average person manages around 170 different passwords for various accounts. Remembering unique, complex passwords for each account is nearly impossible – so people write them on sticky notes, store them insecurely, or reuse them, all of which create vulnerabilities. It’s no wonder that over half of users forget and need to reset a password at least once a month. This is frustrating for individuals and costly for businesses (consider the support time spent on resets). In short, traditional passwords are both a security liability and a productivity drain.

Meanwhile, attackers are doubling down on password-based attacks. Microsoft’s security report observed an astonishing 7,000 password attacks per second in 2024 – more than double the rate from just a year prior. Automated tools throw billions of leaked credentials or dictionary words at login pages, and phishing campaigns reel in victims’ login details by the thousands. Passwords alone can’t withstand these onslaughts. As the NCSC bluntly puts it, passwords “were never really suitable” for securing modern online accounts.


Plasters for Passwords: Making the Best of a Bad Situation

Recognising the weaknesses of passwords, the industry has developed several methods to lessen the risk. Think of these as plasters – they help, but they don’t fully cure the underlying problem:

  • Stronger Password Policies: Many services enforce minimum length, complexity (mix of letters, numbers, symbols), or passphrase requirements. This can stop the “password123”-style guesses, but it often frustrates users and leads to other risky behaviour (like writing passwords down). Frequent mandatory changes were once advised, but modern guidance – including NCSC’s – now warns against forcing regular password resets without cause, as it can do more harm than good (users tend to choose even weaker passwords when forced to change too often).

  • Password Managers: To cope with dozens of logins, password manager apps (or built-in browser managers) have become indispensable tools. They generate and store long, unique passwords for each account so you don’t have to remember them all. The NCSC explicitly recommends using password managers to avoid traps like reusing passwords or picking common passwords. By locking all your creds in an encrypted vault accessible via one master password (and increasingly with biometric unlock), a password manager lets you achieve strong, unique passwords everywhere with minimal effort. This vastly improves security hygiene – but it still doesn’t eliminate the passwords themselves. Even in a manager, those passwords could be stolen if the master password or device is compromised. And not everyone uses a manager, leaving many accounts protected by weak or repeated passwords.

  • Two-Factor/Multi-Factor Authentication (2FA/MFA): Perhaps the biggest boost to password security has come from adding an extra verification step at login. With 2FA/MFA enabled, an attacker who steals your password still can’t get in without that second factor (like a one-time code from your phone, an app prompt, or a hardware token). The NCSC urges enabling two-step verification on accounts whenever possible – it’s an important defence. However, not all MFA is equal. Some forms of 2FA (notably SMS text codes or generic authenticator app codes) can themselves be phished or intercepted by determined attackers. We’ve seen phishing sites that ask for your one-time code right after your password, or criminals tricking users into approving a login prompt. So while MFA greatly reduces opportunistic attacks, it isn’t fool-proof – especially if the second factor can be conned out of the user. The NCSC notes that “not every type of MFA is strong” in the face of modern threats, meaning methods like text messages are better than nothing but still vulnerable. Only certain phishing-resistant 2FA methods (like physical security keys or FIDO2-based tokens) truly close that gap – and those, historically, have been niche due to cost or convenience issues.

In short, password managers and MFA are workarounds for an inherently flawed authentication method. They improve security, and you should absolutely use them today. In fact, the NCSC’s current guidance for organisations (as of early 2025) still revolves around “ passwords + something extra” – because until recently, there wasn’t a viable replacement for passwords across the board. But wouldn’t it be better if users didn’t have to remember any passwords at all, and attackers had nothing to phish in the first place? Enter passkeys.


Passkeys: A Simpler, Safer Alternative to Passwords

Imagine if logging in could be both more secure and easier for everyone. Passkeys promise exactly that. A passkey is a new way to sign in without using passwords, developed as a standard by the FIDO Alliance and supported by the big tech players (Apple, Google, Microsoft, and others). The NCSC has embraced passkeys as “the future of modern authentication”, because they solve the core problems passwords never could. In fact, passkeys directly address the weaknesses listed above:

  • No more passwords to remember or guess: When you create a passkey for an account, you do not set a password at all. Instead, your device (phone or computer) generates a pair of cryptographic keys. One key is public and gets stored with the online service (akin to a lock on their end), and the other key is private, staying safely on your personal device (this private key is like the secret that can open the lock). You don’t need to know or see these keys – your device manages them for you.
  • Phishing-resistant by design: Because of how passkeys work (using cryptographic challenges behind the scenes), you never divulge your secret key. There’s no typed password or code that a scammer could trick you into sharing. Each passkey is unique to the website or app it’s created for. This means if you get an impostor email linking to a fake banking site, your device won’t have a valid passkey for that bogus site – it literally cannot “log in” because the cryptographic credentials won’t match. (More on the anti-phishing benefit in a moment.)
  • No reuse across sites: Since a new key pair is generated for every account, there’s zero risk of one site’s breach giving away a “master” secret that unlocks your other accounts. The stolen data from a hacked website is useless for attacking others. Passkeys inherently enforce unique credentials per site without relying on the user’s memory or diligence.
  • Stronger protection against theft: Private keys are typically stored in secure hardware on your device (like the secure enclave/chip or an encrypted keystore). Also, using a passkey usually requires you to unlock your device or credential manager (for example with your fingerprint, face ID, or device PIN) at the moment of login. This means an attacker needs more than just “knowing” a secret – they’d need physical access or biometric access to your device, which is far harder to obtain. In contrast, a stolen or leaked password can be used from anywhere by anyone.
  • Faster and easier user experience: With passkeys, login can be as simple as a fingerprint scan or clicking “yes” on your phone – no typing required. The NCSC observes that because the whole check happens instantly between your device and the service, logging in with a passkey is often about 8× faster than using a password plus a code. Microsoft measured their users taking ~8 seconds for a passkey sign-in versus ~69 seconds with a password and 2FA code. For users, that’s a game-changer: security improving convenience instead of undermining it. No more struggling to recall or reset passwords – just a quick, secure confirmation and you’re in. Passkeys also eliminate “password fatigue” – the exhaustion of creating and managing passwords all the time.

So what exactly happens when you use a passkey? Let’s break down how passkeys work in practice:

How Passkeys Work (Under the Hood)

  1. Creating a Passkey (Enrollment): The first time you sign up or switch to passkeys on a website, your device will generate that key pair (one public, one private) behind the scenes. You might be prompted to verify yourself with a device PIN or biometric at this moment. The public key is sent to the website and stored in your account profile. Think of it like registering your “key” with the service – except unlike a password, this public key on its own can’t unlock anything for an attacker. The private key remains on your device, typically protected by strong encryption. Often, the private key is managed by your operating system’s credential manager (for example, Apple’s iCloud Keychain, Google’s Password Manager, or Microsoft Authenticator/Windows Hello). If you have multiple devices in the same ecosystem, the system can securely sync your passkey (private key) to your other devices via encrypted cloud backup. This way, you can log in from your phone or your laptop interchangeably. (Or you can create additional passkeys for other device platforms as needed.)
  2. Logging in with a Passkey (Authentication): When you return to that website or app to log in, you no longer enter a password. Instead, you’ll see an option to use your passkey. When selected, the website sends a challenge to your device: basically a random piece of data for your device to sign as proof. Your device will prompt you to confirm it’s really you – usually by unlocking the device or tapping a fingerprint/FaceID prompt, the same way you unlock your phone regularly. That action (which stays local – you’re not sending your fingerprint to the website, it just unlocks the key on your device) allows your device to use the private key to sign the challenge. The device then sends back the signed challenge to the website. The website checks this using the public key it has on file for you, and if it verifies, you’re logged in. All this happens in a split second. Crucially, the private key itself never leaves your device, and you never had to type any secret that a phishing site could intercept.
  3. No Password, No Problem: From the user’s perspective, logging in might involve clicking your account name and confirming a biometric prompt – a much smoother flow than typing an email, a password, and possibly an OTP code. If you’ve ever used “login with Face ID” or a fingerprint on a banking app (without entering a password), you’ve experienced a form of this. Passkeys extend that convenience across the web, standardised so it works on any supported site. They are built on the WebAuthn and FIDO2 standards, which the tech industry jointly supports to ensure interoperability.

In summary, a passkey replaces the shared secret (password) with a pair of keys: one public (with the service) and one private (with you). Only when your private key (unlocked by something like your fingerprint) signs in response to the service’s challenge can a login succeed. It’s a bit like a handshake where your device proves “I have the secret key” without ever revealing what that secret is. This elegantly sidesteps the major threats that plague password-based systems.

Are passkeys really that secure? The NCSC and other experts are convinced they offer far better protection than passwords. Passkeys leverage proven cryptographic techniques that have been used in security tokens for years – but now in a user-friendly form. The fact that tech giants are making passkeys available on billions of devices is a strong vote of confidence. Still, as with any new tech, there are practical considerations and some limitations (more on that shortly). First, let’s look at one of the biggest selling points of passkeys: stopping phishing and account takeover attacks.


Why Passkeys Beat Passwords (and MFA) at Stopping Phishing

One of the most common ways attackers steal accounts is by phishing – tricking someone into giving away their credentials. This could be through a fake website that looks identical to the real login page, or a forged email asking you to reset your password on a malicious link. With passwords (even with SMS or app codes), phishers have had a lot of success. They lure victims to enter their username, password, and if prompted, the 2FA code, giving the attacker everything needed to hijack the account in real time. We’ve seen expensive incidents where high-value targets were phished despite having SMS 2FA enabled – the code was simply requested on the fake page. Traditional 2FA adds friction for the attacker, but doesn’t eliminate phishing risk unless it’s a phishing-resistant method.

Passkeys virtually eliminate this risk. Why? Because as described above, there is no shared secret that the user manually types in. The login challenge and response are bound to the genuine website through cryptographic protocols (the process is tied to the web domain). Your device will not sign a login challenge for “badguy.com” with the key that’s meant for “yourbank.com” – it just won’t recognize the wrong domain. The NCSC highlights that passkeys “stop phishing” because separate passkeys are used for each site, so your device can’t be tricked into authenticating the wrong one. Even if you are fooled into visiting a fake website, the passkey technology won’t complete a login for it. In contrast, if you were fooled with a password, you would unknowingly hand it over along with any OTP code you enter.

Also, with passkeys there’s nothing sensitive that you can divulge to an attacker. An email or caller asking “What’s your passkey?” is nonsensical – you can’t give them a usable string like you could with a password or a code. An attacker would need to compromise your device’s secure storage (much harder than duping you via phishing). In a way, passkeys turn the tables on phishers: the user doesn’t need to distinguish a real site from a clever fake – the browser or device will do that validation automatically and just won’t proceed if things don’t match up.

It’s also worth noting that passkeys are invisible to keyloggers or shoulder-surfers. There’s no keyboard input of a secret to capture or overhear. And unlike SMS codes, there’s no opportunity for SIM-swap fraud or code theft, because the “second factor” in a passkey login (your biometric/PIN unlock) never travels over the network – it’s local on your device.

Leading security experts underscore the significance of this phishing protection. In one industry commentary, it was noted that “perhaps the most important security attribute of passkeys is that they are phishing resistant. An attacker cannot steal your passkey and then use it to access your online account”. This is a fundamental improvement over passwords and typical 2FA. Even if an attacker somehow got hold of the public key from a service’s database, it’s useless without your private key (which they can’t get via phishing or database leaks). In short, passkeys close the door that most scammers have been sneaking through.

It’s important to mention that not all multi-factor authentication is equal in phishing resistance. Security keys and passkeys (which are based on the FIDO2 standard) are considered phishing-resistant MFA, whereas SMS and TOTP codes are not. The US government, for example, has been pushing agencies to adopt phishing-resistant MFA for high-security use cases. Passkeys give that level of protection in a very user-friendly package. The NCSC’s emphasis on passkeys reflects their high confidence in this benefit: as they point out, passkeys can’t be phished and thereby tackle the root of so many breaches.

To be clear, this doesn’t mean passkeys make you invincible to all cyber attacks. No solution is silver bullet – for instance, attackers may shift tactics to target account recovery processes or use malware on devices to steal an authenticated session token. But eliminating stolen passwords and ‘phishable’ codes from the equation is a huge leap forward in securing accounts. It forces criminals to attempt much harder approaches than sending mass phishing emails.

Bottom line: If phishing is an ongoing battle, passkeys are a decisive new defence. They significantly reduce the risk of account compromise compared to passwords or basic 2FA. This strong security gain, combined with greater ease of use, is why the NCSC and industry leaders are so keen on passkeys.


Implementing Passkeys: How to Move Your Organisation Beyond Passwords

Adopting passkeys represents a shift in both technology and mindset. Many organisations are now asking: How do we actually implement passkeys for our users or customers? The good news is that you don’t have to build the system from scratch – the capabilities are rapidly becoming available in platforms and web standards. However, successful rollout does require planning and user education. Here’s how you can approach a move to passkeys:

1. Update Your Technology Stack (Support Passkey Standards): To use passkeys, your applications (websites or mobile apps) must integrate with the standard protocols (namely FIDO2/WebAuthn). If you use a major customer identity platform or an enterprise login solution, check their support for passkeys. Many platforms have started enabling WebAuthn authentication options. For example, Microsoft, Google, and Apple have all built passkey support into their ecosystems and developer frameworks. Ensure your IT team or identity provider enables passkeys as a login option. This might involve software updates or configuration changes on login pages. CDP can assist with evaluating your current systems and identifying the steps needed to incorporate passkey support.

2. Start as an Option (Phase in the Deployment): It’s rarely wise to force a sudden change on all users. NCSC’s advice is to make passkeys available as an option to users, at least initially. For instance, you can offer users the choice to “Sign in with a passkey” alongside the usual username/password method. Early adopters and security-conscious users will try it out. Over time, as comfort and availability grow, you can encourage more people to use passkeys. The UK’s NCSC is even encouraging organisations to lead by example – offering passkey login options to customers, and the UK government itself is exploring letting citizens use passkeys for services like the GOV.UK One Login portal. By introducing the feature early, you demonstrate your organisation is forward-thinking on security and usability.

3. Educate and Support Your Users: New login methods can be confusing to non-technical users at first. Be prepared to provide clear instructions or prompts on how to set up and use passkeys. In practice, using a passkey might involve a user tapping a prompt on their smartphone or confirming via their computer’s biometric sensor – significantly simpler than setting a password, but it’s still new to people. Consider creating a quick guide or FAQ. Emphasise the benefits (no more passwords to remember, and improved security). Also, reassure users about device support: for example, they can use their smartphone as a passkey to log into your web service on a laptop, even if the laptop doesn’t have a fingerprint reader. This cross-device capability is built into the technology via QR codes or push notifications in many implementations. With a bit of guidance, users will quickly see that passkeys are straightforward. (Many will have already encountered passkeys on Google, Microsoft, or Apple services by now, as those companies are pushing the feature widely.)

4. Plan for Recovery and Exceptions: One of the challenges with going passwordless is handling scenarios when something goes wrong – say a user loses their phone (with their passkeys on it) or isn’t using a compatible device. Your implementation plan should include account recovery processes. For example, you might still allow a fallback to email-based recovery or another method if a user’s device is lost, or provide backup codes when they enrol a passkey. The NCSC notes that users need to know what to do if they lose a device with passkeys, and service providers should guide them through setting up backups (like having passkeys synced to a cloud account or adding more than one device as a passkey authenticator). It’s also wise to harden your recovery workflows against social engineering, because attackers may target those when they can no longer phish the login itself. For instance, implement extra verification steps for someone trying to recover an account, to ensure it’s not an impostor making the request. Additionally, consider edge cases: some users might not have a smartphone or might be on older hardware that doesn’t support passkeys. Plan an alternative for them, such as a continued password+OTP login for those specific cases, or even issuing FIDO security keys if appropriate. Over time, these exceptions will dwindle as devices and standards unify, but during the transition you’ll want a safety net.

5. Gradually Move to Default Passwordless: Once passkeys have been an option for a while and a good portion of your user base is using them, you can consider making passkey login the default path. This is exactly what tech giants are doing: Microsoft recently announced new consumer accounts will be “passwordless by default,” nudging users to set up passkeys or similar from the start. Google has made passkeys the default sign-in method for all users who have them enabled. You don’t have to be an industry giant to follow suit in your realm. You might, for example, stop prompting users to create a password at registration and instead guide them to create a passkey (with an option to fall back to a password if they really can’t). The timeline for this will depend on your user demographics and risk appetite, but the end goal is clear: eventually eliminate the password field entirely. The NCSC’s vision is that passkeys become the norm and passwords a rarity. Monitor your support tickets and security metrics: if password-related issues (resets, account lockouts, phishing attempts) drop dramatically as passkeys rise, that’s a strong signal to push forward.

6. Leverage Expert Help: Implementing a new authentication system can be challenging, but you don’t have to go it alone. At CDP, we specialise in helping organisations strengthen their security postures with modern solutions. Our team can assist with the technical integration of passkeys into your infrastructure, ensuring it’s done in a standards-compliant and user-friendly way. We can also help develop the rollout strategy and internal policies (for example, deciding when to disable password logins, how to onboard users, etc.). We bring experience from working with FIDO2 technologies and aligning with best practices, including the latest NCSC guidance. By partnering with experts, you’ll save time and avoid common pitfalls on the road to passwordless security.

7. Stay Informed and Keep Improving: The passkey ecosystem is evolving. Industry groups are actively addressing the few remaining hurdles – for instance, making it easier to transfer passkeys between different ecosystems (so if a user switches from an iPhone to Android, they can carry their credentials). Standards are being refined to handle shared device scenarios and to ensure accessibility for all users. Keep an eye on updates from the NCSC, FIDO Alliance, and major tech platforms regarding passkey support. As these improvements roll out, incorporate them into your implementation. The NCSC is working alongside industry to iron out these issues and wants to see an “acceleration in progress” toward broad passkey adoption. By starting your passkey journey now, you’ll be ahead of the curve and ready to benefit from ongoing developments.

Remember, transitioning to passkeys doesn’t happen overnight. It’s a progression that involves technology, people, and process changes. But the end result – a world where users login quickly with a fingerprint or face scan, and attackers are largely kept at bay – is well worth the effort. The NCSC believes passkeys are the future and is actively championing them for all organisations and services. Early adopters will not only better secure their users, but also demonstrate innovation in user experience.


Conclusion

The writing is on the wall: passwords are on their way out, and passkeys (along with other passwordless solutions) are coming in to take their place. The NCSC’s 2025 guidance makes it clear that organisations should be preparing for a passwordless future, leveraging passkeys to improve security for themselves and their customers. By addressing “the problem with passwords” and implementing modern authentication like passkeys, you reduce the risk of phishing, credential leaks, and account takeovers, all while making the login experience smoother for users. It’s not often that security improvements also make life easier for your employees and customers – passkeys are that rare win-win.

At CDP, we understand the challenges of updating authentication systems and the importance of getting it right. Our experts are ready to help you navigate the shift to passkeys in a way that aligns with NCSC recommendations and your business needs. From technical integration to user rollout and training, we offer end-to-end support. We’ve helped organisations implement cutting-edge identity solutions that reduce fraud and support compliance with security standards.

Contact CDP today to discuss how we can assist your organisation in moving beyond passwords. Whether you want to pilot passkeys for workforce logins or implement them for your customer-facing applications, our team will bring the expertise needed to ensure a successful transition. By acting now, you can position your organisation at the forefront of cybersecurity best practice – following NCSC’s advice and leading your peers in the move to a safer, password-free future.

Let’s make password breaches and phishing worries a thing of the past. Embrace the future of authentication with passkeys – and let CDP help you every step of the way.


✅ Take Action Now

Contact Cyber & Data Protection today to discover how our tailored cyber security solutions and training can keep your business secure in a rapidly changing threat landscape.

If you believe your organisation may be affected, or you want to strengthen your cyber resilience, contact Cyber & Data Protection today for expert guidance and immediate support.

📧 Email: [email protected]
📞 Call: +44 1743 644404

Privacy Preference Center