UK cyber chiefs say it's time to ditch passwords for passkeys - what are they?

The UK's National Cyber Security Centre (NCSC) has issued a call to action for people to abandon traditional passwords in favour of passkeys, a more secure alternative. For years, passwords have been the default method for setting up and logging in to digital services. However, with the rise of data breaches and cyber threats, the NCSC believes it's time to overhaul decades of security practice.

The NCSC's recommendation to use passkeys comes after years of warning people about the dangers of using weak passwords, such as '123456' or pet names. The centre has also stressed the importance of not reusing the same password across different sites. While password managers and multi-factor authentication (MFA) methods have become more popular, the NCSC believes passkeys may offer even greater protection against hacks and human error.

So, what are passkeys? Unlike passwords, passkeys don't require users to remember a code or combination of letters, numbers, and symbols. Instead, they're a piece of digital information tied to a user's account and unique to each site or app they use.

Passkeys use cryptography to perform checks at the device level, often working in conjunction with built-in biometric sensors like Face ID and Touch ID on iPhones. According to Jonathan Ellison, the NCSC's director for national resilience, passkeys offer a user-friendly alternative that provides stronger overall resilience. He added that they could help alleviate the headaches caused by remembering passwords for decades.

Daniel Card of BCS, the Chartered Institute for IT, explains that passkeys work through public key cryptography, where a device generates a secure key pair - one part staying on the device, and the other sitting with the service being logged into. While passkeys are not a silver bullet, experts believe they may be at least as secure, if not more so, than MFA methods. Niall McConachie, regional director at cyber-security firm Yubico, notes that physical security keys are resistant to phishing attempts and can't be intercepted or stolen by remote attackers.

The NCSC and many cyber experts are backing passkeys, and with growing support from major operating systems, internet browsers, and third-party providers, it's likely that passkeys will become a more widespread way to secure online accounts.