The era of “123456” and “Password123” is officially drawing to a close. In a landmark shift for national digital safety, the National Cyber Security Centre (NCSC) has issued an urgent call for UK citizens to ditch traditional passwords in favor of passkeys—a cryptographic alternative they describe as the most significant upgrade to online security in decades.
On Thursday, the NCSC announced it is “overhauling decades of security practice,” moving away from the familiar advice of “long and complex passwords” to a “passwordless” future. The agency reports that passkeys are now mature enough for mainstream adoption, with major platforms like Google, Apple, and X (formerly Twitter) already supporting the tech.
Why the Change?
For years, the battle against hackers has been a game of cat and mouse. Despite the rise of password managers and multi-factor authentication (MFA), 80% of data breaches still involve weak or reused credentials.
”Passkeys are a user-friendly alternative that provide stronger overall resilience,” says Jonathan Ellison, NCSC Director for National Resilience. “They relieve the headaches that remembering passwords has caused us for decades.”
The shift is already gaining momentum: recent data suggests over 50% of active Google users in the UK have already registered a passkey.
How Passkeys Work: The “Secret” That Isn’t Shared
Unlike a password, which is a “shared secret” stored on a company’s server (and therefore stealable), a passkey uses public-key cryptography.
- The Pair: Your device (phone or laptop) generates a unique pair of mathematical keys. One stays locked on your device (the private key), while the other is shared with the website (the public key).
- The Handshake: When you log in, the website sends a “challenge.” Your device signs it using your biometric (Face ID, Touch ID) or PIN and sends it back.
- The Result: The website verifies the signature. Because the actual “private key” never leaves your phone, there is nothing for a hacker to intercept.
The Death of Phishing
Perhaps the biggest advantage of passkeys is their immunity to phishing. While a hacker can trick you into typing a password into a fake website, they cannot trick a passkey. The digital handshake only works on the legitimate, registered domain. If you are on a fraudulent site, your device simply won’t offer the option to sign in.
Is It a “Silver Bullet”?
While security experts at BCS, the Chartered Institute for IT, have praised the move, they warn that passkeys are not a flawless solution.
- Lost Devices: If you lose your phone and haven’t synced your passkeys to a cloud service (like iCloud or Google Password Manager), account recovery can be complex.
- Patchy Support: While big tech is onboard, many smaller websites still rely on old-fashioned logins.
- Sharing Hurdles: Unlike a Netflix password you might share with a partner, passkeys are tied to specific hardware or encrypted vaults, making “easy sharing” more difficult without specialized tools like 1Password.
For sites that don’t yet support passkeys, the NCSC continues to recommend using a dedicated password manager and enabling two-step verification (MFA). However, the message from the UK’s cyber guardians is clear: if the option for a passkey is there, take it.
Do you want to advertise with us?
Do you need publicity for a product, service, or event?
Contact us on WhatsApp +2348033617468, +234 816 612 1513, +234 703 010 7174
or Email: validviewnetwork@gmail.com
CLICK TO JOIN OUR WHATSAPP GROUP
