Stop Using Passwords, says GCHQ
People should stop using passwords online, the UK’s cyber agency has warned. The National Cyber Security Centre (NCSC) said it was “overhauling decades of practice” by advising the public to stop relying on passwords for protection because they had become too vulnerable to hackers.
Experts at the NCSC, an arm of GCHQ, say that is because most phishing attempts begin with criminals stealing or compromising a person’s login details.
Instead, it is encouraging everyone to adopt passkeys, a password-free sign-in method, deemed much more secure because they cannot be stolen from servers.
Officials likened them to a “digital stamp”, which is created and stored on your device. They hailed the development as both simpler and safer for users.
For many users, that means using their biometric data, such as facial recognition or fingerprints, or their phone’s PIN to create and authenticate their passkey. It effectively creates a secure digital key on your phone, computer or tablet. Experts say this means that even if a website service using passkeys is breached, attackers can only gain “public” keys, which are useless on their own.
Passkeys have already been rolled out by many of the Government’s digital services, including the NHS.
As well as making patients’ health data more secure, the health service is thought to have made significant cost savings from the switch, because passkeys remove the need for multi-factor authentication, such as receiving a time-sensitive code sent by text message.
Major online service providers such as Google, Microsoft, eBay and PayPal have also moved towards encouraging the use of passkeys.
According to the NCSC, the UK is already the leading country for passkey adoption. That is supported by data from Google, with more than half of the tech giant’s active UK users registered with one.
Jonathon Ellison, the director for national resilience at the NCSC, said: “The headaches that remembering passwords have caused us for decades no longer need to be a part of logging in where users migrate to passkeys. They are a user-friendly alternative which provide stronger overall resilience.
“As we aim to accelerate the UK’s cyber defences at scale, moving to passkeys is something all of us can do to improve the security of everyday digital services and be prepared for modern and future cyber threats.”
The NCSC said it stopped short of endorsing passkey adoption last year, amid reservations about their implementation. But the agency said that progress within the tech industry meant they were now judged to be both more secure and user-friendly, and encouraged businesses to adopt them as the default option for consumers.
In a technical report scheduled to be published on Thursday, the NCSC will detail how passkeys are always as secure as, and generally more secure, than using the strongest possible password in combination with a two-step verification system.
Where online services do not support passkeys, the NCSC’s advice is to use a password manager to create stronger passwords and keep using two-step verification.
Chris Hosking, from cybersecurity company SentinelOne, said passkeys have the added advantage of taking the “onus for security away from people”.
He said: “The reality is we all juggle dozens of logins across our work and personal lives and expecting all your employees to create and manage strong, unique passwords for each one simply isn’t realistic. Inevitably people reuse them or stick with the same ones for years.
“That’s why so many major breaches start the same way – a popular service with authenticated users gets breached, those passwords and emails land in data dumps on the dark web, triggering a domino effect that compromises multiple sites and systems. Passkeys remove entire classes of attacks, as there’s no password to steal or reuse.”