NCSC Recommends Passkeys Over Traditional MFA, Boosting Authentication Security
What Happened – The UK National Cyber Security Centre (NCSC) announced at CYBER UK 2026 that it will begin recommending passkeys (FIDO2 credentials) wherever services support them, falling back to two‑step verification (2SV) when they do not. The guidance follows extensive research and industry engagement showing passkeys are resistant to the most common credential‑based attacks.
Why It Matters for TPRM –
- Passkeys eliminate phishing‑prone password reuse, reducing third‑party credential‑theft risk.
- Vendors that adopt FIDO2 authentication can demonstrate stronger security controls to their customers.
- Organizations should reassess authentication requirements in contracts and vendor risk assessments.
Who Is Affected – All industries that rely on third‑party SaaS platforms, cloud services, and consumer‑facing applications; particularly technology, financial services, healthcare, and government entities.
Recommended Actions –
- Review all critical vendors for support of FIDO2/passkey authentication.
- Update contractual security clauses to require passkey use where feasible.
- Incorporate passkey verification into your organization’s authentication policy and employee training.
Technical Notes – Passkeys use public‑key cryptography (FIDO2) and are stored securely on devices or in platform‑managed clouds. They resist phishing, credential‑reuse, and session‑hijacking attacks that plague passwords, SMS codes, email OTPs, and hardware tokens. Source: NCSC Blog – Passkeys are more secure than traditional ways to log in