What happened?
The National Cyber Security Centre (NCSC) the UK government's technical authority published three articles on the 23 April on Passkeys and their recommendation as the new norm.
The NCSC publications are based upon their own technical report comparing threats targeting traditional password-based credentials, two‑factor authentication (2FA) and Passkeys.
The articles focus on explaining how passkeys should be adopted as the default authentication option for businesses and consumers. Given that 2FA was first widely adopted in the early 2000s, initially by financial institutions and later more widely by consumers, a replacement or alternative may seem overdue. However, passkeys are still in their infancy and continue to mature.
Several organisations, including Microsoft, have announced taking the Passkey Pledge for the implementation and adoption of passkeys as the new standard of login security. Everything being equal, passkeys provide stronger and more phishing‑resistant protection for users than traditional 2FA and should be the preferred option.
So what?
Given the previous and current government focus on strengthening our resilience as a nation to cyber threats this announcement may come as no surprise for many businesses in the UK.
As passkeys will become the new standard for authentication, early adoption is likely to benefit most organisations and users as awareness grows around their ease of use. Passkeys are, in most cases, also more user‑friendly than 2FA.
Regarding passkey adoption, for many organisations, it will come with implications regarding testing and additional costs when an existing 2FA solution may be suitable.
There are also other challenges such as third‑party software solutions that do not yet support passkey authentication or limitations related to the user's device itself (e.g. laptop without TPM module). These adoption issues are similar to ones seen in the early days of 2FA. But as 2FA became mainstream, it is likely only a matter of time before passkeys become widely supported and used in professional and personal capacities.
Financial institutions such as HSBC and Bank of America (US) have already adopted passkeys as a secondary method of authentication through their respective mobile banking applications.
The direction of travel is clear: passkeys are likely to become a standard security requirement for many organisations.
What should I do?
The implementation of passkeys will become a more pressing issue as their adoption becomes more widespread. Organisations should consider:
- Risk vs Cost – This is the first consideration for most organisations: should it be implemented now or later? If support is available and straightforward to implement without impacting usability, adoption is recommended, beginning with an appropriately tested trial for a small group of users.
- Device and ecosystem limitations – Passkeys rely heavily on modern hardware and software. Users with older devices or unsupported browsers may be unable to create or use them. Even where devices are compatible, the experience varies across ecosystems: Apple and Google generally offer smooth passkey synchronisation, while mixed or Windows‑heavy environments may find this less reliable. Organisations that rely on shared devices, virtual desktops or tightly controlled enterprise builds may also lack the necessary biometric sensors or secure hardware modules.
- Cyber insurance – Most modern cyber insurance policies now include explicit security requirements, 2FA being one of the most common, and failure to implement it may invalidate cover or increase premiums. With passkey adoption already underway (for example, Microsoft’s Windows Hello), it is likely that insurers will begin adding passkeys to policy conditions.
- User adoption – Employees may resist change, particularly if they do not understand the differences between passkeys and passwords. This can lead to confusion about where credentials ‘live’ and how to recover them. As passkeys require biometrics or PINs, some users may object to these features. User awareness should accompany or precede passkeys implementation.