Skip to content
.ca
sign in
3 minlow

NCSC: Leave passwords in the past - passkeys are the future

The UK's National Cyber Security Centre (NCSC) has updated its official guidance to recommend passkeys as the default authentication method for consumers and businesses, replacing traditional passwords. Passkeys provide superior resilience against modern cyber threats, particularly phishing and credential theft, while offering a faster, more user-friendly login experience.

Analyzed:2026-04-23reports

Authors: NCSC

Phishing PreventionAuthenticationNCSCPasskeysIdentity Security

Source:NCSC

Key Takeaways

  • The NCSC officially recommends passkeys as the default authentication method over traditional passwords.
  • Passkeys are highly resistant to phishing attacks and cannot be intercepted, reused, or guessed.
  • Adopting passkeys reduces password fatigue, speeds up the login process, and eliminates the need for complex password creation.
  • For services that do not yet support passkeys, users should utilize password managers combined with two-step verification (2SV).
  • Transitioning to passkeys can save service providers money by replacing costly SMS-based verification systems.

Affected Systems

  • Online accounts
  • Digital services
  • Authentication systems
  • Identity Providers (IdP)

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

No detection rules are provided as this article discusses strategic authentication policy and guidance rather than specific threat detection.

Detection Engineering Assessment

EDR Visibility: None — This is a strategic authentication recommendation, not an endpoint threat that generates EDR telemetry. Network Visibility: None — Authentication policy changes do not directly generate network threat telemetry. Detection Difficulty: N/A — There is no specific threat to detect; the focus is on implementing secure authentication mechanisms.

Required Log Sources

  • Authentication logs
  • Identity Provider (IdP) logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Users are still relying on legacy authentication methods (passwords without 2SV) instead of migrating to passkeys or strong MFA.Identity Provider (IdP) logs, Authentication logsCredential AccessLow

Control Gaps

  • Reliance on SMS-based verification
  • Use of weak, reused, or easily guessable passwords

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Enable passkeys on all supported personal and enterprise accounts.

Infrastructure Hardening

  • Implement passkey support for customer-facing applications and internal enterprise services.
  • Phase out SMS-based two-step verification in favor of passkeys or stronger forms of Multi-Factor Authentication (MFA).

User Protection

  • Use a reputable password manager to generate and store strong passwords for services that do not yet support passkeys.
  • Enable two-step verification (2SV) on all accounts where passkeys are currently unavailable.

Security Awareness

  • Educate users on the security and usability benefits of passkeys and provide instructions on how to register them on their devices.
  • Continue to train staff to recognize phishing attempts, emphasizing that passkeys significantly reduce the risk of credential compromise.

MITRE ATT&CK Mapping

  • T1566 - Phishing
  • T1110 - Brute Force
  • T1528 - Steal Application Access Token

Related