-optimized.jpg){kind=avatar}
Passkeys are the more secure future, the UK official National Cyber Security Centre (NCSC) has stated. That’s according to a technical report released during CYBERUK โ the UK governmentโs flagship cyber security event, this year in Glasgow.
Jonathon Ellison, Director for National Resilience at the NCSC, part of the Government agency GCHQ, said: “Adopting passkeys wherever you can is a strong step towards a safer, simpler login experience and I am pleased that we can now support uptake. The headaches that remembering passwords have caused us for decades no longer need to be a part of logging in where users migrate to passkeys โ they are a user-friendly alternative which provide stronger overall resilience. As we aim to accelerate the UKโs cyber defences at scale, moving to passkeys is something all of us can do to improve the security of everyday digital services and be prepared for modern and future cyber threats.”
In brief
At all stages of a credentialโs lifecycle, and against all commonly observed attacks, FIDO2 credentials including passkeys are as secure or more secure than all forms of traditional MFA (multi-factor authentication) for IT users, according to the document.ย For the report visit the NCSC website.
Background
Last year,ย the UK government announced it would roll out passkey technology for its digital services as an alternative to the SMS-based verification.
Comments
Niall McConachie, regional director (UK and Ireland) at Yubico, says:ย โIn response to the challenging AI-powered threatย landscape, a global transition is underway โ users are moving away from passwords towards stronger, more resilient technologies. The clear successor is the passkey, which is rapidly emerging as the new standard for secure authentication.
โThis isn’t just a niche trend. Last year, the UK Government announced its own plans to embrace passkeys for its digital services, citing them as the recommended method for enhanced security. The move is expected to not only offer users a more secure authentication option but also save millions of pounds annually, demonstrating a clear return on investment.
โItโs therefore imperative that we move away from authentication methods like passwords and instead turn our attention to foolproof methods like device-bound passkeys, which offer the highest level of security. These physical security keys are totally resistant to phishing attempts and can’t be intercepted or stolen by remote attackers, meaning only the key holder can gain access to their accounts. They also manage logins across all usersโ platforms and devices โ meaning attackers canโt use AI to get around the wall of defence the physical key provides. Only with a bullet-proof authentication method like this can users rest easy, knowing their accounts are safe from whatever hacking capabilities AI brings next.โ
Steven Furnell, senior IEEE member and professor of cybersecurity at the University of Nottingham, said:ย โThe NCSCโs recommendation to use passkeys ‘wherever a service supports them’ is good from both security and usability perspectives. passkeys have been specifically designed to overcome our primary problems with passwords.
โHowever, the โwherever supportedโ aspect is a potential challenge, because many users wonโt be able to follow the guidance uniformly or consistently across the services they use. Many sites and services still donโt offer passkey support, so users will find themselves with a mixed login experience.
โAnother likely challenge is that many users wonโt know what passkeys are, or why theyโre now the thing to be looking for. Weโve been telling them for years to use better passwords, and then to use two-step verification or MFA. And now thereโs something else. Itโs still the correct advice, but no matter how good passkeys are, we need to recognise that this is going to be a long game rather than flipping a switch.โ
And Kevin Marriott, Director of Cyber Content Strategy and IP at the platform Immersive described the move towards passkeys as a crucial step forward, reducing many of the risks tied to stolen credentials and phishing. He said: “Bad actors are always looking for the weakest link, and for years that has been passwords. Even โstrongโ passwords create an illusion of security, leaving multiple entry points for attackers.ย Rather than hoping to keep data secure with passwords alone, passkeys provide an added layer of protection, requiring bad actors to do extra work and limiting the avenues they can use to gain access to sensitive information.
“However, the bigger challenge the NCSC faces is changing user behaviour from passwords to passkeys. A baseline knowledge of cybersecurity is necessary, and organisations need to take the lead in creating this culture. It should involve shared, engaging, scenario-based learning, rather than focusing on blame or the โdeath by presentationโ approach into which cyber training can often fall.โ
