People should stop using traditional passwords over fears they are too vulnerable to hackers, the UK’s cyber agency has warned.
The National Cyber Security Centre (NCSC) announced it was ‘overhauling decades of practice’ by advising the public to stop relying on passwords for protection.
The change in guidance is because most phishing attempts start with criminals compromising or stealing a person’s logins.
Instead, everybody is being encouraged to adopt passkeys, a more secure and convenient alternative to passwords.
Passkeys, likened to ‘digital stamps’, do not need to be remembered as they are created by software on the device.
For many, that means using biometric data – such as a fingerprint or facial recognition – or their phone’s PIN to create and authenticate their passkey.
This preferred method allows for a secure digital key on your phone, computer or tablet – and can save users one minute every time they sign in.
Experts at the NCSC, an arm of GCHQ, say that even if a website that uses passkeys is breached, hackers can only access ‘public’ keys, which on their own are useless.
The NCSC is now encouraging people to adopt passkeys, a sign-in method which is password-free, which is deemed more secure because they can’t be stolen from servers (pictured: the Government Communications Headquarters)
When a user first logs in to a device, the system sends a digital key to specific devices.
This allows a user to log in safely on future occasions without needing a password, text message or other code.
The key remains stored on the device and cannot be easily intercepted or stolen – with third parties unable to access accounts using other devices.
Passkeys have already been implemented in many of the Government’s digital services, like the NHS.
In addition to securing patients’ health data, passkeys are thought to have made significant cost savings because they remove the need for multi-factor authentication like receiving time-sensitive codes sent via text message.
The use of passkeys has since been adapted by major online services such as Google, Microsoft, PayPal and eBay. Data from Google suggests more than half of their UK users are registered with one.
Jonathon Ellison, the director for national resilience at the NCSC, said passkeys provide ‘a user-friendly alternative which provide stronger overall resilience’.
He said: ‘As we aim to accelerate the UK’s cyber defences at scale, moving to passkeys is something all of us can do to improve the security of everyday digital services and be prepared for modern and future cyber threats.’
The NCSC said that last year it stopped short of endorsing passkey adoption due to reservations regarding their implementations.
However, the agency has said progress within the tech industry has since meant passkeys have been deemed more secure and user-friendly, and has encouraged businesses to implement them as the default option for consumers.
On Thursday, a technical report by the NCSC will outline how passkeys are as secure, if not more secure, than the strongest possible password in combination with a two-step verification process.
And in the instance where online services do not support passkeys, the NCSC advises using a password manager to create stronger passwords and keep using two-step verification.
Chris Hosking, from cybersecurity company SentinelOne, said passkeys remove ‘entire classes of attacks’.
He said: ‘The reality is we all juggle dozens of logins across our work and personal lives and expecting all your employees to create and manage strong, unique passwords for each one simply isn’t realistic.
‘Inevitably people reuse them or stick with the same ones for years.
‘That’s why so many major breaches start the same way – a popular service with authenticated users gets breached, those passwords and emails land in data dumps on the dark web, triggering a domino effect that compromises multiple sites and systems.
‘Passkeys remove entire classes of attacks, as there’s no password to steal or reuse.’
