UK cyber chiefs say it's time to ditch passwords for passkeys - what are they?

Passkeys use public key cryptography: a private key stays on the user’s device while a public key is stored by the service. Authentication occurs through device verification (biometrics or PIN), and the service verifies the cryptographic proof rather than a shared secret. This makes passkeys resistant to phishing and remote theft; the approach is supported across major operating systems and browsers according to industry groups like the FIDO Alliance.

The National Cyber Security Centre (NCSC) states it is overhauling decades of security practice and recommends passkeys as the most secure option. It notes that platforms including Apple, Google and X already allow passkeys as an alternative to passwords. Passkeys are described as a cryptographic authentication tied to a specific site or app and do not require users to remember a secret. The process relies on device-level checks (such as biometric unlock or PIN) and exchanges only proof of authentication, not the secret itself. NCSC director Jonathan Ellison calls passkeys a user-friendly option with stronger resilience, while noting they are not a silver bullet and that some platforms still do not support passkeys everywhere.

The UK Government adopts passkeys across its digital services in 2025, signaling formal public-sector use of passkeys beyond individual platforms.