atisusanti
The UK’s National Cyber Security Centre (NCSC) has issued a strong recommendation for the public to transition away from traditional passwords towards passkeys, marking a significant shift in online security practices. This advisory signals a move to overhaul decades of established security protocols, championing passkeys as the most robust option for safeguarding digital accounts. While major technology providers like Apple, Google, and X already offer passkey integration, understanding what passkeys are and how they function is crucial as the nation embraces this new era of online authentication. The NCSC’s proactive stance comes amidst a worrying surge in data breaches, prompting a reiteration of long-standing warnings against the perilous habit of reusing passwords across multiple platforms. In response to these evolving threats, password managers and multi-factor authentication (MFA) methods have gained traction as valuable tools for strengthening login security and managing credentials. The NCSC posits that passkeys possess a superior resilience against sophisticated cyberattacks and the inherent vulnerabilities of human error. However, some cybersecurity experts caution that passkeys, while promising, are not an infallible solution.
At their core, passkeys serve the same fundamental purpose as passwords: to verify a user’s identity when accessing an online account. The key distinction lies in their methodology. Unlike passwords, which require users to recall complex combinations of characters, passkeys eliminate the need for memorization. Instead, a passkey is a unique piece of digital information intrinsically linked to a user’s account and specific to each website or application. This digital credential leverages advanced cryptography to perform authentication checks directly on a user’s device. This process is typically integrated with existing device security features, such as Face ID and Touch ID on Apple devices, and Face Unlock on Google Pixel phones.
The technical underpinning of passkeys is public key cryptography. As Daniel Card, a representative from BCS, the Chartered Institute for IT, explains, "Instead of you creating and remembering a shared secret, like a password, your device generates a secure key pair – one part stays on your device, and the other sits with the service you’re logging into." This mechanism ensures that no sensitive information is directly transmitted or stored in a way that is easily compromised. The authentication process typically involves a familiar action: unlocking your device using your fingerprint, facial scan, or PIN code. Crucially, it is only the confirmation that this verification has been successfully completed, not the biometric data itself, that is exchanged. Niall McConachie, regional director at cybersecurity firm Yubico, highlights the security benefits, stating, "These physical security keys are totally resistant to phishing attempts and can’t be intercepted or stolen by remote attackers, meaning only the key holder can gain access to their accounts."
The NCSC, alongside a consensus among many cybersecurity professionals, believes that passkeys offer a level of security that is at least comparable to, and potentially superior to, existing MFA methods. These traditional MFA approaches often combine a strong password with an additional verification step, such as a code sent to another device. However, Card, echoing sentiments from other experts, wisely notes that passkeys are "not a silver bullet." A significant practical challenge arises if a user loses their device or their access to it is compromised. In such scenarios, managing and reconfiguring passkeys can become a complex undertaking.
Historically, the NCSC has refrained from advocating for the widespread adoption of passkeys due to what it termed "implementation challenges." These hurdles included the slow pace of adoption by various platforms and inconsistent support across the digital landscape. A substantial number of online services still do not offer passkeys as an alternative or supplementary authentication method to passwords. Nevertheless, according to the Fido Alliance, an industry consortium dedicated to advancing a password-less future, the technological infrastructure for passkeys is now robust, with support extending across all major operating systems, web browsers, and a growing number of third-party service providers.
The increasing integration of passkey technology, exemplified by the UK Government’s own adoption of them across its digital services last year, signifies a substantial shift. McConachie observes that this widespread support indicates that "this isn’t just a niche trend." Card further elaborates on the evolutionary progression of online security: "Moving from passwords to password managers, app-based MFA, and now passkeys is a step change in reducing risk." This evolution, he concludes, is precisely why prominent organizations like the NCSC are endorsing passkeys, and why many within the security community are already embracing them wherever their implementation is feasible. The transition to passkeys represents a significant stride towards a more secure and user-friendly online environment, promising to alleviate the long-standing burden of password management.
Nana Banana
Roy Suryo
Ramos Leo
Nakalama John