In April, the UK’s National Cyber Security Centre (NCSC) issued an alert, saying that passkeys should be used over passwords when they’re available.

Passkeys – FIDO cryptographic credentials tied to a user’s account on a website or application – have been around for a while. They offer multiple advantages over a password, including usability and better security because they are more resistant to phishing.

So, why is the NCSC issuing this recommendation now, and what should businesses be doing to start to adopt passkeys?

Evolving Security 

Passkeys as a form of security are evolving fast. In January 2025, NCSC described passkeys as promising but “not perfect.” By April 2026, it said industry progress was now strong enough to recommend passkeys wherever they are supported.

Nathan Davies-Webb, principal consultant at Acumen Cyber, believes the recommendation reflects a more general shift to increase the adoption of the standard behind passkeys. “Businesses are recognising that strong passwords can easily undermine other security controls and that identities need to be challenged using robust methods throughout the authentication lifecycle.”

It comes at a time when there has been a consistent rise in the number of attacks that involve credentials, such as passwords being obtained and abused, points out Sam Taylor, digital trust and cybersecurity expert, PA Consulting.

This is particularly dangerous where accounts have elevated privileges, as they can be used to inflict “significant damage,” he warns.

Passkey Benefits

Passkeys offer multiple benefits. Unlike passwords, passkeys cannot simply be intercepted, reused or stolen through fake login pages, points out Joshua Walsh, IT security practitioner at rradar.  “If somebody clicks a fake login page, a passkey generally will not authenticate to the wrong website in the same way a password can. That removes a huge amount of the risk associated with email phishing and fake login portals.”

There's also a usability advantage. Staff don't need to remember complex passwords or regularly reset them, says Walsh.

From a business perspective, it can also lower the volume of account recovery requests and password reset tickets, which is something IT teams spend “a surprising amount of time dealing with,” according to Walsh.

Another key benefit is that passkeys are tied to trusted devices and robust access methods already built into modern phones and laptops, such as biometrics and TPM chips. That makes authentication “more seamless for users” while also “raising the barrier for attackers trying to gain unauthorised access,” says Davies-Webb.

At the same time, since they are securely-generated by devices, rather than users, they can be considerably longer and more complex than passwords. This makes them more difficult to compromise through techniques that rely on trial an error, such as brute force, says Taylor.

How To Adopt Passkeys 

 The benefits of passkeys are clear, but to adopt them within the business, experts recommend a gradual migration. “Most organisations will end up operating with a mixture of passwords and passkeys for some time because not every application or supplier supports them yet,” says Walsh.

A sensible starting point is enabling passkeys for high-value accounts first, particularly for administration accounts, finance systems, remote access platforms and any systems tied to sensitive business data, Walsh advises.

The first step is to understand where passkeys can realistically be introduced across your environment, says Davies-Webb. “Most major platforms and identity providers now support passkeys, so businesses should start by reviewing the systems employees use most frequently and prioritise high risk accounts first, particularly those with access to sensitive data or administrative privileges.”

Taylor advises organisations to first deploy passkeys to a small pilot group of users from across the enterprise before rolling them out across the wider estate. “This will allow them to gather a range of feedback, identify pain points and refine their approach.”

The NCSC guidance is clear that passkeys should form part of a wider move towards stronger, phishing resistant authentication. “That means businesses also need visibility over how users authenticate, what devices are trusted and where legacy authentication methods still exist,” says Davies-Webb.

Training is important as staff need to understand “what a passkey actually is, how it works across devices and what recovery options exist if a phone or laptop is lost,” according to Walsh.

Overcoming Challenges

It’s also important to be aware of any challenges that might occur. Organisations may use legacy technologies that are ill-equipped for modern authentication standards, or they might operate services that do not support passkeys.

In these cases, it’s key to maximise the security of existing authentication methods through strong password policies and multi-factor authentication (MFA), while encouraging vendors and managed service providers to include passkeys in their future roadmaps, says Taylor.

Another barrier is resistance to adoption, says Alex Laurie, CTM CTO at Ping Identity. He thinks much of this comes down to implementation and how clearly passkeys are explained to users. “A strong user experience is vital to wider acceptance. If people understand what passkeys are, how they work and how to use them, they are more likely to trust and adopt them. This adoption will also depend on supporting digitally disadvantaged and vulnerable users with secure alternatives beyond passwords.”

If a business doesn’t feel ready for passkeys yet, the next best option is still strong password hygiene such as unique passwords stored in a password manager, plus MFA or two-step verification wherever possible, Matt Cooke, EMEA cybersecurity strategist at Proofpoint advises.

But this should be treated as “a transition phase, rather than a long-term plan,” he says. “The threat landscape is only getting tougher, and moving to passkeys takes time – from testing and integration through to user rollout and support – so the sooner businesses start planning, the easier the switch will be.”

Kate O'Flaherty Cybersecurity and privacy journalist