Passkeys are more secure than traditional ways to log in
Passkeys offer a more usable, secure replacement for passwords and are already supported by most modern devices.
At CYBERUK 2026 in Glasgow, the NCSC announced that we will begin recommending passkeys wherever a service supports them, and two‑step verification (2SV) where it does not. This shift will be reflected through our ongoing refresh of guidance rather than as a single sudden change.
This is not a decision taken lightly. It is based on extensive engagement with websites, app developers, technology vendors and the FIDO Alliance, alongside significant technical and sociotechnical research carried out by the NCSC.
As part of CYBERUK, we published a paper comparing – from an individual user’s perspective – the security properties of traditional multi‑factor authentication (MFA/2SV) and FIDO2 credentials, including passkeys.
How we compared different login methods
All credentials go through a lifecycle: they are created, stored and used, and often need to be synchronised, revoked or recovered. At different points in that lifecycle, credentials are vulnerable to different types of attack, and not all attackers have the same capabilities.
By breaking authentication down in this way – and focusing on the most common real‑world attack techniques – it becomes possible to compare very different credential types in a consistent and meaningful way.
Our analysis focused on the attacks most commonly seen against individuals today, including phishing, credential reuse and session hijacking.
Our assessment
From this analysis, the NCSC assesses that:
- All traditional MFA methods – including passwords combined with SMS codes, email codes, time-based One Time Passwords generated by apps or physical tokens, push approvals – are inherently phishable.
- FIDO2 credentials, including passkeys, are as secure or more secure than traditional MFA against all common credential attacks observed in the wild.
- When user verification is required as part of the login, FIDO2 authentication constitutes multi‑factor authentication.
- Because FIDO2 removes the ability to cheaply reuse or relay credentials, large‑scale attacks directly targeting correctly implemented passkeys are unlikely.
