Why the NCSC Wants Businesses to Ditch Passwords
UK's National Cyber Security Centre (NCSC) has recently made its position clear on the use of passwords. Where possible, it wants businesses and consumers to be using passkeys instead of passwords.
While passwords have been the foundation of online security for many years now, they remain one of the most common ways attackers gain access to accounts. Whether through phishing, credential theft, password reuse or social engineering, compromised passwords continue to feature heavily in cyber incidents affecting organisations of all sizes.
The NCSC's latest guidance reflects a growing recognition that traditional passwords are no longer enough on their own.
Why now?
Passkeys are not new. The underlying technology has existed for several years, but adoption has accelerated as major technology providers, software vendors and identity platforms have begun supporting them more widely.
Many organisations still rely heavily on usernames and passwords because they are familiar, widely supported and deeply embedded within existing systems. The challenge is that passwords rely on a shared secret. Both the user and the service hold the same credential, meaning security is often limited by the strength of the password itself and the user's ability to protect it.
Passkeys take a different approach. They use asymmetric cryptography, where a private key remains securely stored on a trusted device and is paired with a public key held by the service being accessed. This eliminates any risk of credential reuse, and features like attestation allow organisations to control what type of passkeys are used, making it difficult for credential theft to occur.
The NCSC's recommendation is part of a broader push towards stronger, phishing resistant authentication methods that better reflect how modern threats operate.
The benefits for businesses
One of the biggest advantages of passkeys is that they remove much of the human error associated with password security.
Users no longer need to create and remember complex passwords, while organisations reduce the risks associated with weak credentials, password reuse and phishing attacks. Because each passkey is unique to the service it is used with, a compromise in one system does not create a domino effect across others.
There are also operational benefits. Many IT teams spend significant time dealing with password resets, account lockouts and credential related support requests. Passkeys can help reduce this burden while improving the user experience.
Modern passkeys are also tied to trusted devices and commonly use biometric authentication or hardware backed security features already built into laptops and smartphones. It enables organisations to apply transparent security, creating a smoother login experience while making it significantly harder for attackers to gain unauthorised access.
Making the move
For most organisations, moving to passkeys should be approached as part of a wider identity and access management strategy.
The first step is understanding where passkeys can be introduced. Most major cloud platforms, identity providers and business applications now support them, making it possible to start with high value accounts and privileged users before expanding more broadly. Adopting SSO (Single Sign On) helps reduce friction in the process, because it means there’s a centralised place to implement passkeys, and control what trusted devices can authenticate. This should be paired with reviewing systems that operate in isolation, that may not support passkeys or rely on legacy authentication, and treating these as elevated risk.
Importantly, passkeys are not just a technology deployment. Organisations need clear processes around device management, user onboarding, account recovery and user education to ensure the transition is successful.
Overcoming barriers
The biggest obstacle for many organisations is legacy technology. Older applications and on premises systems may not support modern authentication methods, making immediate adoption difficult.
However, that should not be a reason to delay improving authentication security altogether. Organisations that cannot yet implement passkeys should focus on strengthening multi-factor authentication, moving away from SMS based verification where possible and introducing conditional access controls to reduce account takeover risk.
The move away from passwords is unlikely to happen overnight, but the direction of travel is clear. Businesses that start planning now will be in a far stronger position than those waiting until a security incident forces the issue.
Passkeys are not a silver bullet, and they do not remove the need for layered security controls, monitoring or user awareness. What they do offer is a practical and proven way to reduce one of the most common attack paths organisations continue to face.
If you’re keen to understand more, Acumen Cyber's Nathan Davies-Webb, Principal Consultant was featured in a recent SC Magazine UK article here: https://insight.scmagazineuk.com/the-ncsc-wants-you-to-adopt-passkeys-is-it-time-to-finally-drop-passwords