What are passkeys? Why the NCSC is phasing out passwords

The big headline: the UK’s National Cyber Security Centre has effectively said “if you can use passkeys, use passkeys,” which is a pretty major swerve from the old password advice we’ve all lived by. That shift in NCSC password guidance is part of a wider push because passwords, bless them, are famously easy to steal, reuse, guess, phish, and generally cause IT teams to develop stress eye twitches.

So let’s talk about what this actually means in normal human terms. What are passkeys, what changes for businesses, and why the phrase “I forgot my password” may finally be allowed to retire. Plus a passkeys vs passwords rap battle. 

So… what’s changed this week?

The NCSC has publicly backed passkeys as the default option where available, saying passwords shouldn’t be used when passkeys exist. An official move that signals passkeys have finally grown up and moved out of their parents’ house.

That matters because government guidance doesn’t change lightly. The whole point of this NCSC password guidance update is to reduce phishing and credential theft, the two greatest hits of “how breaches start.”

At the same time, the big platform vendors have been pushing hard, too. Especially Microsoft and Google. So this isn’t some niche security nerd thing anymore. It’s mainstream, it’s rolling out everywhere, and you’re going to hear about it whether you like it or not. (Sorry!)

Right then. What are passkeys?

Let’s do the simple version first. What are passkeys? They’re a newer way to log in that doesn’t rely on you typing (or reusing) a password. Instead, they use cryptography and typically get unlocked on your device with Face ID, a fingerprint, or a PIN.

If you’re asking what are passkeys in practical terms, think “tap to confirm” rather than “type the thing you made up in 2017 and have been clinging to ever since”. They’re designed to be far more resistant to phishing, because there isn’t a password to trick you into handing over on a fake login page.

(Also, if you’re still thinking “ok but what are passkeys really?” They’re essentially a login credential tied to your device or credential manager, rather than a shared secret you have to remember)

Passkeys vs Passwords. The cage match nobody asked for…

Let’s be honest. Passkeys vs Passwords is not a fair fight.

Passwords fail in two very human ways:

1. We reuse them
2. We can be tricked into typing them into the wrong place

That’s why phishing works. That’s why credential stuffing works. That’s why one leaked password can turn into ten compromised accounts.

In the passkeys vs passwords debate, passkeys win because:

• They can’t be guessed
• They can’t be reused in the same way
• They’re far harder to hand over to a scammer, even by accident

And crucially for businesses… Fewer passwords means fewer password resets. Which means fewer tickets. Which means less time spent on the digital equivalent of “have you tried turning it off and on again?”

So yes, Passkeys vs Passwords is a whole thing, and the direction of travel is pretty clear.

Where do Google and Microsoft fit into this?

You’ll hear two phrases a lot. Google passkey and Microsoft passkey. They matter because most people’s digital lives orbit around Google and Microsoft accounts, especially at work (for better or worse).

A Google passkey is basically Google’s implementation of passkey login for Google accounts and services. If you use Google Workspace or rely on Google accounts for business tools, this is one of the biggest “normalising passkeys” drivers out there.

A Microsoft passkey is the equivalent story in Microsoft land. Microsoft accounts, Entra ID environments, and the wider Microsoft ecosystem. When Microsoft makes a shift, it tends to ripple through businesses fast because Microsoft is… well… Microsoft.

The important bit is that these aren’t niche experiments. A Google passkey and a Microsoft passkey approach are both part of the mainstream push that’s made the updated NCSC password guidance feel practical, not theoretical.

OK, but will passkeys make life easier or just give us new things to panic about?

Both. But mostly easier.

The “easier” bit…

• Logging in is quicker (often just a biometric prompt)
• Less password fatigue
• Less risk from phishing emails

The “new panic” bit…

• Your login is tied more closely to devices and credential managers
• Recovery matters (lose a device, lose access… unless recovery is set up properly)
• Businesses need to think about rollout and support, not just “turn it on and vibe”

Even the NCSC has been clear that passkeys work best when implemented sensibly. Proper recovery options and sensible credential management will be essential.

That’s baked into the broader NCSC password guidance shift, though. Adopt passkeys where possible, but don’t do it in a way that strands users when devices change.

What should businesses actually do right now?

Here’s a sensible list, for starters:

1. Work out where passkeys are already available
   Check your key platforms (Microsoft, Google, payroll portals, finance tools). If you can enable a Google passkey or Microsoft passkey option, that’s a strong signal you’re ready to plan a rollout.
2. Decide your approach: pilot first, then expand
   Pick a small group (IT and a willing department). Let them run it for a couple of weeks. Gather “this is brilliant” and “this is annoying” feedback.
3. Get recovery right 
   Passkeys reduce risk, but recovery is where chaos lives if you ignore it. Make sure staff can regain access if they replace phones or laptops. Secure plus usable beats secure-but-impossible.
4. Keep MFA sensible during transition
   This isn’t a “burn all passwords at dawn” situation. You can phase in passkeys while still supporting strong authentication for services that aren’t ready yet. again, consistent with the updated NCSC password guidance direction.
5. Communicate it like a human
   Staff don’t need a cryptography lecture. They need:

• • What’s changing
  • When it’s changing
  • What they need to do
  • What happens if they ignore it
  • Where to get help

And, possibly, reassurance that IT isn’t doing this just to ruin everyone’s Tuesday.

The takeaway (AKA, where this is all heading)

If you’ve been wondering what are passkeys and whether they’re actually happening, the answer is yes. And now, officially, yes-with-government-approval.

What are passkeys? They’re the security world’s attempt to remove the most fragile part of authentication. Which is humans remembering secrets and not getting tricked into sharing them.

On the bigger stage, Passkeys vs Passwords is trending strongly in one direction, because the costs of password-based security. Breaches, phishing, reset tickets, user frustration… are all too high.

And with Google passkey and Microsoft passkey adoption pushing forward, plus the new NCSC password guidance making it feel very official, this is one of those tech shifts that will quietly become normal… and then one day you’ll realise you haven’t typed a password in weeks.

Which, honestly, sounds like bliss to us.

Got a question? We can answer it. Click here to get in touch.