Passwords are a 1960s solution to a problem that has grown considerably since. They get stolen, forgotten, reused across accounts, and handed over to phishing pages that look convincing enough to fool the most careful of people. It continues to be a key finding on so many of our engagements and tests; well trained users can still be decieved, and we can still simulate getting that all-important initial access to an organisation. Passkeys address all of this, and the NCSC is now recommending every UK user make the switch wherever it’s available.
Turtledove Cyber’s Director Savva Pistolas joined BBC Breakfast alongside the NCSC’s guidance rollout to talk through what passkeys are, why they matter, and what organisations should do. This post covers the same ground in more detail.
What a Passkey Actually Is
A passkey replaces your username and password with a cryptographic key pair. Your device holds one half; the website holds the other. To log in, your device proves it has the right key — by asking you to unlock it the way you already do. Face ID, fingerprint, or PIN.
Nothing travels across the network that an attacker could intercept. There is no password to steal or replicate. A convincing fake login page captures nothing, because there is nothing to capture.
Your credential manager — Apple Passwords, Google Password Manager, Samsung Pass, or a third-party tool like 1Password — creates, stores, and syncs your passkeys across trusted devices. If you lose a device, your passkeys survive through the credential manager’s secure backup. You don’t start from scratch.
Why Passkeys Beat Passwords
The three ways passwords most commonly fail are the three things passkeys eliminate:
- Phishing. Passkeys are bound to the specific site they were created for. A fake login page gets nothing, because the key won’t match.
- Credential stuffing. Each passkey is unique. There is no shared secret to try across other services.
- Weak choices. Users don’t create passkeys — devices generate them. There is no “Password1!” to guess.
The NCSC’s technical comparison found passkeys are at minimum as secure as the strongest traditional MFA combination, and in most cases more secure. Logins are up to eight times faster than entering a username, password, and one-time code. The friction of secure authentication drops to almost nothing.
Passkeys and Cyber Essentials
If your organisation is working towards Cyber Essentials or Cyber Essentials Plus, passkeys are directly relevant. The standard requires multi-factor authentication for cloud services and remote access. Passkeys satisfy this requirement — the biometric or PIN used to unlock the device acts as the second factor, built into the authentication itself rather than added on top.
For organisations already certified, adopting passkeys on key accounts strengthens your posture in line with the standard’s intent. For those working towards certification, switching cloud service and admin accounts to passkeys is one of the cleaner ways to meet the MFA requirement — no separate authenticator app to manage for every user.
This is one of those cases where the more secure option is also the more user-friendly one. That doesn’t happen often enough!
How to Start
Begin with the accounts that carry the most risk if compromised:
- Microsoft 365 and Google Workspace both support passkeys for admin and standard user accounts.
- Apple ID and Google Account support passkeys natively through their built-in credential managers.
- Check the security or privacy settings of any service your organisation relies on. Many platforms now prompt users to upgrade when they log in.
For rolling this out to staff: make it supported rather than mandated. Walk people through setting it up on the device they already carry. Most accounts take under two minutes to switch. Adoption improves sharply when people see it working rather than read about it in a policy document.
If Passkeys Aren’t Available
Not every service supports them yet. Where they don’t, continue using strong unique passwords generated by a credential manager and keep two-step verification enabled. This remains a solid defence. Passkeys are better when available — they’re not a reason to weaken your approach elsewhere while you wait.
Supply Chain Implications
If you supply services to larger organisations, expect passkey adoption to appear in security questionnaires and contract requirements over the next few years. Phishing-resistant authentication is increasingly a baseline expectation, not a differentiator.
Cyber Essentials certification makes this conversation cleaner. A certified supplier has already met a defined standard that includes MFA requirements — which means fewer questionnaires, fewer back-and-forth evidence requests, and a clearer signal of posture to clients.
If you’re buying from suppliers, it’s a reasonable question to add: are your key contact accounts protected with phishing-resistant authentication?
Conclusion
Passkeys remove an entire category of credential-based attack. They’re faster to use, cryptographically stronger than passwords, and already available on every major platform and operating system. The NCSC backs them, Cyber Essentials recognises them, and the major platforms are building toward them as the default.
Turtledove Cyber supports organisations in achieving Cyber Essentials and Cyber Essentials Plus certification, including working through the MFA requirements that passkeys help satisfy. If you’re looking to tighten your authentication posture or start a certification journey, get in touch.