Why the UK is now moving from passwords to passkeys

Passwords are still the weak point in most cyberattacks. Phishing emails, fake login pages, and reused credentials continue to catch people out, even in well-run organisations. In this article, Geraint Williams, Chief Information Security Officer at Modern Networks, sets out why the UK Government is changing its advice on how businesses should sign in. For anyone who runs, owns, manages, or leases workspace in a UK commercial building, this shift matters. The UK’s cyber authority is clear: passkeys, not passwords, are where things are heading.

The National Cyber Security Centre (NCSC), part of GCHQ, has updated its stance and is now advising people to use passkeys instead of passwords where they’re available, because passwords are “no longer resilient enough” against modern threats.

The NCSC also says passkeys should be the first choice of login across digital services, marking a clear shift away from decades of password-led advice.

Commercial buildings are busy places. Offices, shopping centres and science parks have lots of moving parts: staff, suppliers, contractors, tenants, shared services, and remote access. When login details get stolen, attackers do not need to break down a door. They just walk in digitally.

The NCSC’s change matters because it targets the main way criminals get in: stealing login details. The NCSC says most cyber harm starts when criminals steal or compromise login details, and moving to passkeys is a big step in improving resilience to phishing.

Passwords are easy to reuse, easy to trick people into typing, and easy to capture when people are under pressure. That is why phishing attacks keep working.

Government research backs this up. In the Cyber Security Breaches Survey 2025, organisations that reported a breach said phishing was the most common and most disruptive type of attack, affecting 85% of businesses and 86% of charities that experienced a breach or attack.

The same report also found 43% of businesses reported a cybersecurity breach or attack in the last 12 months.

A passkey is a modern way to sign in that removes the password from the process. The NCSC explains that passkeys are created and managed safely on your device, so you do not need to remember anything.

Instead of typing a password, you approve the sign-in using the way you already unlock your device, such as a fingerprint, face scan, or PIN.

The NCSC says passkeys are resistant to phishing because they cannot be intercepted, reused or stolen in the same way passwords can.

It also published a technical assessment at CYBERUK 2026 showing passkeys are at least as secure as, and generally more secure than, using the strongest password plus two-step verification. That matters for busy teams because it reduces the number of times someone can be tricked into handing over access.

The NCSC says industry support has reached the point where passkeys can be recommended broadly.
It also points out that several popular online services already support passkeys, including Google, eBay and PayPal. It even cites data from Google showing just over 50% of active Google services users in the UK have a passkey registered.

No. The NCSC is clear that where passkeys are not available, people should still use strong passwords, ideally generated by a password manager, and keep using two-step verification. So, for most organisations, this is a phased change. Some systems will move quickly. Others will take longer.

If you manage technology across a building, start by looking at the services you already use for email, collaboration, finance, HR, visitor processes, and contractor access. Then check which of them supports passkeys today. The NCSC notes passkeys are set up and managed through a “credential manager” on trusted devices and can sync across trusted devices for convenience. That means you can improve security without asking people to memorise even more rules.

If you want to understand what sign-in with passkeys looks like for your building, your tenants, and your day-to-day operations, speak to Modern Networks. We will help you map where passkeys are ready now, where passwords still need to stay for a while, and how to roll it out in a way that staff follow.