Passwords have been the cornerstone of online security since the early days of the internet. We’ve spent decades being told to make them longer, more complex, and different for every account. Now the UK’s own cybersecurity authority is telling us to do something different entirely.
The National Cyber Security Centre (NCSC), part of GCHQ, announced at its annual CYBERUK conference in Glasgow that it can no longer recommend individuals use passwords where passkeys are available. It’s the first time the agency has made this call, and it represents a significant shift in official UK guidance.
Read the full statement from NCSC
What Is a Passkey?
A passkey replaces your password with something your device generates and stores for you. When you log into a website or app that supports passkeys, your phone, tablet, or computer confirms it’s you – using your face, fingerprint, or PIN – and handles the authentication automatically. There’s no password to type, no code to copy from a text message, and nothing for a criminal to steal from a phishing email.
The key reason passkeys are considered more secure is that they’re resistant to phishing. They cannot be intercepted, reused, or stolen the way passwords can, which removes one of the most common ways accounts are compromised.
NCSC research found that all traditional multi-factor authentication methods – from passwords with one-time codes to push approvals – are inherently phishable. FIDO2 credentials, which include passkeys, were found to be either as secure or more secure than traditional MFA when faced with common credential attacks.
Why Now?
The NCSC had been watching passkey technology closely for some time. The agency had stopped short of endorsing passkeys in 2025, citing unresolved implementation challenges around account recovery and cross-platform portability, but said progress within the technology industry over the past year has addressed those concerns sufficiently to support a public recommendation.
Progress with the technology over the past year, including the ability to move passkeys between Android and Apple phones, has now made the technology viable. The gaps that previously held the NCSC back have narrowed enough to act.
A number of popular online service providers already support passkeys, including Google, eBay and PayPal, and new data from Google shows the UK already leads global adoption, with just over 50% of active Google services users in the UK having one registered.
What About Businesses That Haven’t Moved Yet?
Passkeys aren’t available everywhere yet. Plenty of services still rely on passwords, and that’s not going to change overnight. Where passkeys aren’t available, the NCSC advises consumers and businesses to keep using the password and two-step verification combination – but to use a password manager so those passwords remain complex and unique to each service.
This is where password managers remain genuinely important. If a site doesn’t support passkeys yet, a strong, unique password generated by a password manager is still your best line of defence. Reusing passwords across accounts continues to be one of the most common ways businesses end up compromised.
How AOIT Networks Approaches This
AOIT Networks includes 1Password for Business as part of its managed security offering. It generates and stores strong, unique passwords for every account – and critically, it also supports passkeys and TOTP (time-based one-time passwords, the codes generated by authenticator apps), all synchronised securely across devices.
That means whether a service your team uses supports passkeys today or is still relying on traditional passwords, your staff are covered. As more platforms adopt passkeys, 1Password will handle them seamlessly alongside your existing credentials – there’s no need to change tools or manage multiple systems.
The NCSC’s announcement is a direction of travel, not an overnight switch. AOIT Networks helps partners navigate that transition without disruption, making sure the right controls are in place now and evolving as the landscape changes.
What This Means for UK SMBs
If you run a business and your team is still logging into systems with passwords they’ve chosen themselves and reused elsewhere, this announcement should prompt a conversation. Keeping passwords unique means that if they end up in an infostealer dump, they can’t be used to access several accounts. That’s not a theoretical risk – credential theft is one of the most common entry points for business breaches.
The NCSC’s guidance isn’t aimed at security professionals. It’s aimed at ordinary users of digital services – which includes every member of your team logging into Microsoft 365, your accounting software, your CRM, or your banking portal each morning.
The shift to passkeys will happen gradually. But the underlying principle – that passwords on their own are no longer a reliable defence – is not new. Acting on that now, with the right tools in place, puts your business in a stronger position regardless of where individual services are in their own transition.
If you’d like to understand how password management and passkey support could work across your business, we’re happy to walk you through it.