Your Passwords Are Officially Obsolete, According to Britain's Top Intelligence Agency

The National Cyber Security Centre’s declaration marks a watershed moment in authentication history. Passwords, invented at MIT in 1961, have long been the default, but the rise of AI‑driven credential‑cracking and phishing has eroded their reliability. By officially retiring passwords, the NCSC aligns the UK with a growing global consensus—seen in the U.S., EU, and major tech firms—that password‑less solutions are the next security frontier. This policy change not only reflects technical evolution but also signals regulatory encouragement for stronger, user‑friendly safeguards.

Passkeys, built on public‑key cryptography, replace secret strings with device‑bound credentials. When a user logs in, the private key never leaves the device, while the public key is shared with the service, eliminating the primary vector for credential theft. The NCSC highlights four advantages: speed (logins up to eight times quicker), security (near‑phishing immunity), cost (cutting millions in SMS verification fees), and usability (no memorization). Adoption is already notable—about half of UK Google users have enabled passkeys—while platforms like eBay, PayPal, and Microsoft Azure extend support, creating a robust ecosystem that eases migration for both consumers and enterprises.

For businesses, the transition promises tangible benefits and new challenges. Reducing reliance on SMS verification can lower operational expenses and improve customer experience, while integrating passkey APIs may require updates to legacy authentication flows. Companies that act early can differentiate themselves through enhanced security posture and compliance with emerging standards such as the FIDO Alliance. Conversely, organizations that delay risk falling behind regulatory expectations and exposing themselves to credential‑based attacks. The NCSC’s guidance thus serves as both a warning and an opportunity: embrace password‑less authentication now to future‑proof digital identities.