For decades, passwords have been the foundation of online security. But despite increasingly complex password requirements, data breaches, phishing attacks and credential theft continue to rise.
Now, the cyber security industry is moving towards something designed to be both safer and simpler: passkeys.
And the UK is quickly becoming one of the global leaders in this shift.
According to the UK’s National Cyber Security Centre (NCSC), passkeys should now be the preferred way for consumers to sign in to digital services wherever they are available.
What is a passkey?
A passkey is a secure digital credential stored on your device - such as your smartphone, tablet or laptop - that allows you to sign in without needing to remember a password.
Instead of typing a password, users simply authenticate using something they already use every day:
- Face ID
- Fingerprint recognition
- Device PIN
- Windows Hello
- Trusted device authentication
Behind the scenes, passkeys use modern cryptography to prove your identity securely without transmitting sensitive login information across the internet.
That means there’s no password to steal, reuse or accidentally expose in a phishing attack.
Why are passkeys considered more secure?
Traditional passwords have a fundamental weakness: they rely on information that can be guessed, reused, leaked or tricked out of users.
Passkeys work differently.
The NCSC describes passkeys as “phishing-resistant by design” because the secure credential never leaves the user’s device.
This dramatically reduces the effectiveness of common cyber attacks such as:
- Phishing emails
- Fake login pages
- Credential stuffing
- Password reuse attacks
- SMS interception attacks
Even if an attacker tricks someone into visiting a fake website, the passkey simply won’t work there.
For organisations, that means fewer compromised accounts. For users, it means a simpler and safer login experience.
The UK is helping lead the way
In 2025, the UK government announced plans to roll out passkey technology across GOV.UK digital services, replacing older SMS-based verification methods.
The NCSC has also joined theFIDO Alliance - the international body helping define global passwordless authentication standards - reinforcing the UK’s commitment to modernising digital identity and cyber resilience.
Meanwhile, services including the NHS have already begun introducing passkey support, placing the UK among the early adopters of large-scale passwordless authentication.
More recently, on World Passkey Day, NCSC CEO Richard Horne appeared on BBC Breakfast discussing why passkeys represent the future of online security.
The message from UK cyber security leaders is becoming increasingly clear: passwords alone are no longer enough.
Better security - and a better user experience
One of the biggest advantages of passkeys is that stronger security doesn’t come at the cost of usability.
In fact, many users find passkeys significantly faster and easier than traditional login methods.
There’s no need to:
- remember complex passwords
- reset forgotten credentials
- wait for SMS verification codes
- manually enter one-time passcodes
Instead, authentication becomes almost instant.
According to the NCSC, passkeys can save around a minute per login compared with traditional password and SMS verification flows.
That combination of convenience and security is one reason major platforms including Google, Apple, Microsoft and PayPal have all invested heavily in passkey support.
Are passwords disappearing overnight?
Not quite.... passwords will still exist for many services in the near future, particularly older systems and platforms still modernising their authentication processes.
The NCSC continues to recommend strong passwords and two-step verification where passkeys are not yet available. There are also still usability challenges being refined across the industry, especially around device changes, cross-platform compatibility and account recovery.
But the direction of travel is clear.
Passkeys are rapidly becoming the new standard for secure authentication - offering organisations a way to improve security while reducing friction for users.
A new era of authentication
Cyber security has long faced a difficult trade-off between stronger protection and user convenience.
Passkeys are one of the first authentication technologies to genuinely improve both at the same time.
As governments, technology providers and cyber security organisations continue investing in passwordless authentication, we are entering a new phase of digital identity - one designed around security by default.
And the UK is positioning itself at the forefront of that transition.
