Passkeys – a new method of logging into online accounts without typing a password – are leaving many users scratching their heads. Among them is Martin Avis from Chester, who wrote to this newspaper asking how something as simple as a phone PIN or a facial recognition scan could possibly be safer than a complicated password with two-factor authentication. His question captures a widespread bewilderment as the UK’s National Cyber Security Centre (NCSC) officially recommends passkeys as the “first choice of login across all digital services”, marking a major shift from decades of conventional advice.
Why users are confused
The confusion is understandable. For years, internet users have been told to create long, unique passwords, to enable two-step verification, and to never reuse credentials. Now the message has changed. “I get that having something unique to your device, not stored on a company’s server is unphishable, and less hackable by cybercrims,” Martin wrote, “but what if your phone is nicked and someone guesses the password? And what if you lose your phone?” Those are the exact concerns the NCSC and other cybersecurity authorities have had to address as they push passkeys into the mainstream.
How passkeys actually work
Passkeys replace the traditional password with a pair of cryptographic keys – one private, one public. The private key stays permanently on your device, never transmitted anywhere. The public key is registered with the website or app you are logging into. When you want to sign in, the service sends a challenge to your device, which uses its private key to produce a digital signature. Your device only does this after authenticating you – typically with a fingerprint, facial recognition, or a device PIN. This means a passkey is not a secret you remember and type; it is an automated process that combines “something you have” (the device itself) with “something you are” or “something you know”.
Why the NCSC says they are safer
The NCSC has stated that passkeys are “at least as secure as, and generally more secure than, pairing the strongest password with two-step verification.” The most critical advantage is that passkeys are unphishable. Each passkey is cryptographically bound to a specific website or app, meaning it will simply refuse to work on a fraudulent lookalike site. Even if a user is tricked into visiting a fake login page, the passkey cannot authenticate there. This renders classic phishing attacks – still one of the most common ways accounts are compromised – completely ineffective.
Another major security benefit is that passkeys eliminate shared secrets. With a password, the same string of characters is held by both the user and the service, which means it can be stolen from a company’s server in a data breach. Passkeys do not rely on any shared secret. The private key never leaves your device. Even if hackers break into a service’s database and steal all the public keys, those keys are useless without the corresponding private key stored on your phone or laptop. This makes passkeys breach-proof in a way passwords can never be.
The system also destroys the problem of password reuse. Every passkey is unique to a specific account, so even if one service is compromised, the stolen credential cannot be tried on other sites. Credential stuffing attacks, which rely on people reusing the same password across multiple platforms, are stopped dead. Furthermore, passkeys are randomly generated cryptographic keys of enormous complexity – they cannot be guessed or brute-forced. And because they inherently combine a device with biometrics or a PIN, they already satisfy multi-factor authentication requirements without the user having to juggle separate codes or hardware tokens.
Addressing the theft and loss worries
So what happens if someone steals your phone and guesses your PIN? The NCSC’s guidance acknowledges that device security is still paramount. If a thief gains access to your unlocked phone, they could potentially use passkeys stored on it. However, the passkey system is designed so that the biometric or PIN check happens on the device itself, and modern smartphones have strong protections against repeated guessing – often wiping data after a certain number of failed attempts. The bigger risk is probably a lost or stolen phone, but the industry has developed account recovery procedures. When you lose a device, you can revoke its passkeys using another trusted device or through the service’s account recovery process. The NCSC warns that weaker password-reset or account-recovery processes can still introduce risks if not properly secured, which is why organisations are urged to implement robust recovery flows. For users, the practical advice is to set up a second device – such as a tablet or a family member’s phone – as a backup so you are never locked out.
UK leads adoption – but challenges remain
The UK is reportedly leading global adoption of passkeys. According to the NCSC, over 50% of active Google users in the UK already have a registered passkey. Major technology companies including Apple, Google, Microsoft, eBay, and PayPal now support the system. The UK government is planning to roll out passkeys across its own digital services, such as GOV.UK, as an alternative to SMS-based verification – a move intended to improve security and reduce costs. The NHS is also implementing passkey-based systems for patient data security.
The benefits extend beyond security. Users no longer need to create and remember complex passwords or deal with those irritating complexity requirements. Logins are faster because credential managers present relevant account options automatically. The dreaded “forgot password” process disappears. For businesses, fewer helpdesk calls about password resets translate into significant cost savings.
But challenges persist. Passkeys are not yet universally supported by all services; where they are unavailable, the NCSC still advises using a password manager with two-step verification. Organisations with fragmented identity environments or legacy systems may face obstacles in adopting passkeys. Any passkey strategy must also consider non-human identities – machine accounts and automated processes – to avoid creating new security gaps. And, as Martin Avis’s question demonstrates, user education remains a significant hurdle. Communicating how this new system works, and why it is trustworthy, is a challenge that the NCSC and tech companies are still working to overcome.
