Close-up of a digital padlock symbol representing secure authentication technology.

Photo by D.Table, CC BY-SA 4.0 via Wikimedia Commons. Symbolic representation of modern security protocols and digital authentication methods, not NCSC branding.

Last updated on

NCSC advisory: passkeys should replace passwords for consumers

⚠️ Mobile scams

On this page (8 sections)
  1. What the NCSC actually said
  2. What a passkey actually is
  3. Why the NCSC considers passkeys more secure than passwords
  4. Which platforms and services already support passkeys
  5. What this means for scams targeting UK mobile users
  6. How to set up a passkey on your device
  7. What to do if a service you use does not yet support passkeys
  8. What to expect next
100%
of passkey authentication is phishing-resistant by design, according to the NCSC
Source: NCSC, April 2026

What the NCSC actually said

On 23 April 2026, the UK’s National Cyber Security Centre published a public advisory calling on online services to move away from passwords and make passkeys the standard way for consumers to log in.

“Passkeys are the more secure and user-friendly login method and should be the default authentication option for consumers.”

— National Cyber Security Centre, April 2026 (source)

The statement is notable because it moves beyond the NCSC’s previous guidance of recommending long, unique passwords managed by a password manager. The organisation is now actively pushing for passkeys to replace passwords outright, rather than supplement them.

What a passkey actually is

A passkey is a digital credential based on public-key cryptography. When you register a passkey with a website, your device generates two mathematically linked keys: a public key that the website stores, and a private key that stays on your device and never leaves it.

When you log in, the website sends a challenge and your device uses the private key to sign it. The website verifies the signature using the public key it already holds. No password is ever typed, transmitted or stored.

To approve the sign-in, you use whatever method unlocks your device: a fingerprint, a face scan or a PIN. This means you are not relying on remembering or protecting a secret string of characters.

Why the NCSC considers passkeys more secure than passwords

Traditional passwords create several points of failure that passkeys eliminate by design.

Passwords can be stolen through phishing websites that mimic legitimate services. Because a passkey is cryptographically bound to the exact domain of the legitimate service, a fake site cannot receive or replay the credential even if a user visits it accidentally.

Passwords can be exposed in data breaches if a company stores them poorly. Because the private key never leaves the user’s device, there is nothing for an attacker to steal from the service’s database.

Passwords can be guessed, reused across sites, or shared. Passkeys are unique to each service and cannot be guessed through brute force or credential-stuffing attacks.

The NCSC has long identified phishing and credential theft as primary routes through which UK consumers lose access to accounts and fall victim to fraud. Passkeys address both vectors directly.

Which platforms and services already support passkeys

Passkeys are already available to UK consumers across a wide range of platforms and services. Apple introduced passkey support across iOS, macOS and Safari from 2022, storing them in iCloud Keychain. Google added passkey support to Android and Chrome, backed by Google Password Manager. Microsoft supports passkeys on Windows 11 and in Microsoft accounts.

Among consumer-facing services, PayPal, Amazon, eBay and a growing number of UK banks and retailers have introduced passkey login options (figures on total UK adoption pending verification at time of publication).

Consumers can check whether a specific site supports passkeys using the community-maintained directory at passkeys.directory, which lists services by category and platform.

What this means for scams targeting UK mobile users

The NCSC’s advisory is directly relevant to the types of fraud that affect UK mobile users most frequently. Smishing messages, which arrive via SMS and push recipients to fake login pages, rely on stealing passwords or one-time codes. A passkey-protected account removes the password from that attack chain entirely.

Similarly, SIM-swap fraud, where attackers convince a mobile network to transfer a victim’s number in order to intercept SMS-based one-time codes, becomes far less damaging against accounts that use passkeys rather than SMS verification.

For consumers concerned about account takeover on mobile, switching to passkeys wherever a service offers them is one of the most effective single steps available right now.

For broader context on account takeover tactics affecting UK consumers, see our Mobile scams hub.

How to set up a passkey on your device

The exact steps vary by service, but the general process on a smartphone is consistent.

Go to the security or account settings of a supported service and look for an option labelled “passkeys,” “passwordless sign-in” or “biometric login.” Select it, confirm the setup using your fingerprint or face scan, and the passkey is created and saved to your device’s secure enclave and cloud backup.

On iOS, passkeys are saved to iCloud Keychain automatically if iCloud is enabled. On Android, they are saved to Google Password Manager by default, though some Android manufacturers offer their own credential managers.

Once set up, the next time you log in you will be prompted to use your biometric or device PIN instead of a password. Most services allow you to keep a password as a backup during a transition period, though the NCSC’s position is that services should move to making passkeys the primary and default option rather than an optional extra.

What to do if a service you use does not yet support passkeys

Not all services have introduced passkeys, and some UK consumers will be waiting for their bank, energy provider or retailer to catch up. In the meantime, the NCSC’s existing advice remains relevant.

Use a different, randomly generated password for every account. A password manager such as Bitwarden, 1Password or the built-in options in iOS and Android makes this practical without requiring you to remember each one. Enable two-factor authentication using an authenticator app rather than SMS where the option is available, as app-based codes are more resistant to SIM-swap attacks than codes sent by text message.

If you receive a suspicious text message asking you to click a link and log in to any account, do not click the link. Forward the message to 7726 (spells SPAM), which reports it to your mobile network for investigation at no cost to you.

If you believe an account has already been compromised, contact the service directly and report the incident to Action Fraud on 0300 123 2040 or at actionfraud.police.uk.

What to expect next

The NCSC advisory is part of a broader international push, coordinated through the FIDO Alliance, to make passkeys the standard authentication method across the web. The NCSC’s public statement signals that UK government and industry bodies are now actively encouraging services to treat passkeys as the default rather than an advanced feature.

For consumers, the practical implication is that prompts to set up a passkey on accounts you use regularly are likely to increase throughout 2026. The NCSC’s position is that accepting those prompts is the right choice.

Further updates on UK passkey adoption and related account security guidance will be covered in the Mobile scams hub.

Person typing on a colorful laptop keyboard while holding a credit card, ideal for online shopping themes.
Photo by Kindel Media on Pexels.

Passkeys are the more secure and user-friendly login method and should be the default authentication option for consumers.

Frequently asked questions

What is a passkey?
A passkey is a cryptographic credential stored on your device that replaces a typed password. You authenticate using your fingerprint, face scan or device PIN, and the key itself never leaves your device or gets shared with a website.
Are passkeys safe if I lose my phone?
Passkeys are typically backed up through your device's secure cloud service (such as iCloud Keychain or Google Password Manager), so they can be restored on a new device. You should ensure your Apple ID or Google account itself is protected with two-factor authentication.
Which UK services already support passkeys?
A growing number of services available to UK consumers support passkeys, including Google, Apple, Microsoft, PayPal and Amazon. You can check the community-maintained directory at passkeys.directory for an up-to-date list.
Do passkeys stop phishing completely?
Passkeys are phishing-resistant because the cryptographic key is bound to the legitimate domain of the service. A fake website cannot receive or use your passkey even if you visit it by mistake.
What should I do if a service I use does not support passkeys yet?
Until passkeys are available, use a strong unique password for every account and enable two-factor authentication where possible. A password manager makes this practical. Report any suspicious login texts to 7726.

Sources

  1. NCSC: Leave passwords in the past - passkeys are the future (National Cyber Security Centre)

Comments

Loading comments…

Leave a comment

Comments are reviewed before publishing. We don't share your email and we never spam.

Tags: passkeyspasswordsncscauthenticationaccount-securityphishing