Passwords have been part of everyday online life for decades. But according to the UK’s cyber security experts, they may no longer be enough to keep people safe.
The National Cyber Security Centre (part of GCHQ) has now said that passkeys should replace passwords as the default way to log in to accounts.
It’s a significant shift, and one that reflects how quickly cyber threats are evolving.
Why passwords are becoming a problem
Many cyber-attacks start with stolen login details.
That can happen in a few different ways:
- Phishing emails or texts that trick people into sharing passwords
- Data breaches where login details are exposed
- Weak or reused passwords that are easy to guess.
Once a password is compromised, attackers often try it across multiple accounts. If you’ve reused it — which many people do — the impact can quickly spread.
In short, passwords were never designed for today’s threat landscape, and they’re increasingly being exploited.
What is a passkey?
A passkey is a newer way to sign in. One that removes the need for a password entirely. Instead of typing anything in, you log in using your device.
That might mean:
- Face recognition
- Fingerprint scan
- A device PIN.
Behind the scenes, passkeys work using a pair of digital keys:
- A private key, stored securely on your device
- A public key, held by the website or app.
When you log in, your device proves your identity using the private key, without ever sharing it. That means even if a company suffers a data breach, attackers can’t use what they’ve stolen to access your account.
The main advantage is that passkeys remove the weak points that passwords rely on.
They are:
- Resistant to phishing. There’s no password to steal
- Not reusable. Each passkey is tied to a specific service
- Device-based. Attackers would need access to your actual device.
Passkeys are generally considered at least as secure as, and often more secure than, strong passwords combined with two-step verification. They’re also faster to use, with some estimates suggesting logins can be completed several times quicker.
Where passkeys are already being used
Adoption of passkeys is already underway across major platforms. Companies like Google, eBay and PayPal now support passkeys. The UK government is also rolling them out across its own digital services, including parts of the NHS.
And uptake is growing quickly, with more than half of UK users on Google services already having a passkey set up.
But not every service supports passkeys yet. Where they’re not available, the advice hasn’t changed:
- Use a password manager to generate strong, unique passwords
- Turn on two-step verification (2SV) wherever possible.
These steps still offer a strong level of protection, especially compared to reusing simple passwords.
What should you do now?
For most people, this isn’t about switching everything overnight. But it does signal where things are heading.
Passkeys are likely to become the default login method over time, replacing passwords in the same way contactless payments replaced PIN entry for everyday use.
For now, the key takeaway is simple: If a service offers passkeys, it’s worth turning them on.
Has your password been stolen?
With data breaches and scams continuing to rise, the way we protect our accounts is becoming more important. Moving away from passwords won’t solve everything. But it does remove one of the most common entry points for attackers.
If your details have already been exposed in a breach, stronger logins can only go so far. You can check if you may be eligible to join a data breach claim through Join the Claim.
