In 2026, the UK’s NCSC officially endorses passkeys as the default authentication standard. They urge users to move away from passwords toward a frictionless, more resilient login experience with passkeys front and center.
The guidance flips decades of conventional advice. If a passkey exists, you should skip the password. The change came after a technical report delivered at CYBERUK, the NCSC‘s annual conference.
The report concludes passkeys are at least as secure as, and generally more secure than, passwords and two‑step verification (2SV).
Last year, implementation challenges included inconsistent passkey naming, uneven device support, and limited credential‑manager compatibility. Since then, gaps have narrowed enough for action by developers, platforms, and users alike.
Google, eBay, and PayPal are highlighted by the NCSC for making adoption easier. Around half of UK Google users registered at least one passkey, a clear win for user onboarding.
Microsoft made passkeys the default nearly a year ago, showing a corporate shift toward passwordless confidence and speed.
Where passkeys aren’t available, the NCSC still advocates password plus 2SV, assisted by a password manager to keep credentials complex and unique per service.
For readers of Reg, keeping passwords unique matters: if a dump leaks, unique passwords prevent cross‑site reuse. The 2SV layer adds a further shield against attackers who obtain credentials.
NCSC director Jonathon Ellison frames the shift with practical optimism:
“The headaches that remembering passwords have caused us for decades no longer need to be part of logging in where users migrate to passkeys— they are a user‑friendly alternative with stronger resilience.”
“As we accelerate the UK’s cyber defenses at scale, moving to passkeys is something all of us can do to improve the security of everyday digital services and be prepared for modern threats,” he adds.
Passkeys work by creating a cryptographic key pair between a user’s device and the protected account. They can’t be guessed or phished, are up to eight times faster to use than passwords, and end credential fatigue.
Promoting passkeys isn’t a whim. It’s a practical step toward robust security, and the NCSC is leaning into adoption to strengthen the nation’s digital life.
Richard Horne, the NCSC chief executive, notes that today’s cyberattacks hover near recent trends, while geopolitics and frontier AI push defenders to stay vigilant. He frames this moment as a call to prioritize security hygiene.
In 2026, institutions can prioritize routine hygiene: patch systems, train staff, and roll out passkeys where possible to reduce friction and risk.
Passkeys and NCSC: The 2026 security shift
If your platform supports passkeys, switch now. The benefits accumulate quickly when users login with a device they own and trust.
Users gain speed and security. The login flow becomes less fiddly, and phishing risk drops as a cryptographic handshake replaces static credentials.
Even for non‑passkey sites, the guidance remains practical: combine passkeys where possible with 2SV backups, and keep a password manager handy for the rest.
Adopting passkeys with NCSC: practical steps
Check device compatibility across Windows, macOS, Android, and iOS. Prepare to update password policies for sites not yet passkey-enabled.
Encourage users to register passkeys for their accounts. Provide clear onboarding and backup recovery options to avoid lockouts.
Use a password manager for non‑passkey sites. A manager keeps unique, strong passwords separate from passkeys, reducing cross‑site risk.
In the long run, passkeys aren’t a gadget fad. They are a pragmatic path to resilient digital life. The NCSC‘s guidance remains pragmatic and hopeful.
Richard Horne, the NCSC chief executive, notes that today’s cyberattacks hover near recent trends, while geopolitics and frontier AI push defenders to stay vigilant. He frames this moment as a call to prioritize security hygiene.
In 2026, institutions can prioritise routine hygiene: patch systems, train staff, and roll out passkeys where possible to reduce friction and risk.
Have thoughts on passkeys and NCSC guidance? Share your perspective in the comments.
Original article: Thank you to the NCSC for the original source material.
External sources
- Google: Passkeys overview
- FIDO Alliance: Passkeys explained
- Microsoft: Passwordless authentication overview

