The government is to roll out passkey technology across its digital services this year as a simpler and more secure alternative to remembering complex passwords.
Government websites will start offering the public the ability to use passkeys – cryptographic keys stored on phones or laptops – to log into government websites, including HM Revenue & Customs and NHS sites, over the next 12 months.
The move comes amid heightened concerns over the security offered by passwords following cyber attacks that have disrupted retailers Marks and Spencer, Co-op and Harrods in recent weeks.
The NHS is one of the first government organisations in the world to offer passkeys to give patients secure access to hospital and pharmacy websites.
The NHS processes one million authentications a month and now has more than 100 organisations using the secure log-in service.
Passkeys offer a greater level of security than passwords and SMS two-factor authentication, both of which can be compromised by hackers.
They allow people to log into websites securely, using their own mobile phones, tablets or laptops to verify their identity by entering a PIN or using facial recognition.
Artificial intelligence and digital government minister Feryal Clark said the government would roll out passkeys across Gov.uk websites this year in what he described as a “major step forward” in strengthening the UK’s digital defences.
The government is working with OneLogin, which provides secure login services, to roll out passkeys across government websites.
This week, Microsoft also announced plans to replace passwords with secure passkeys by making new Microsoft accounts “passwordless by default”.
The company said in a blog post that it aimed to eliminate the use of passwords on its products over time.
According to Microsoft research, passkeys allow users to log in more quickly, saving one minute per login when compared to entering a username, password and SMS code.
The move to passkeys on government websites could save several million pounds annually, and will make it easier to access government services, said Clark.
“Replacing older methods like SMS verification with modern, secure passkeys will make it quicker and easier for people to access essential services – without needing to remember complex passwords or wait for text messages,” she added.
“This shift will not only save users valuable time when interacting with government online, but it will reduce fraud and phishing risks that damage our economic growth,” she said.
The UK’s National Cyber Security Centre (NCSC), part of GCHQ, said passkey adoption is “vital for transforming cyber resilience at a national scale”.
The organisation believes that after years of development, passkeys, which are supported by over 98% of consumer devices, are now ready to be widely deployed.
NCSC chief technology officer (CTO) Ollie Whitehouse said the move would protect against common cyber threats such as phishing and credential stuffing.
“By adopting passkey technology, the government is not only leading by example by strengthening the security of its services, but also making it easier and faster for citizens to access them,” he said.
By adopting passkey technology, the government is not only leading by example by strengthening the security of its services, but also making it easier and faster for citizens to access them Ollie Whitehouse, NCSC
“We strongly advise all organisations to implement passkeys wherever possible to enhance security, provide users with faster, frictionless logins, and save significant costs on SMS authentication.”
The NCSC has joined the FIDO Alliance, described as the global body shaping the future of password-free authentication, which will allow the UK to play a role in developing passkey standards.
The cyber security organisation is working with technology suppliers and organisations to make passkeys widely available as an option for users.
It is also developing passkey support for the MyNCSC portal, which allows companies to access cyber security services, with availability expected later this year.
Retailers Marks & Spencer, Co-op and Harrods were hit by ransomware attacks over Easter, after hackers reportedly posed as employees and asked the company’s IT helpdesk to reset their passwords.
The NCSC’s national resilience director, Jonathan Ellison, along with CTO Whitehouse, advised organisations to review their helpdesk password reset processes, including their procedures to authenticate the identity of employees, following the attacks.
“Preparation and resilience do not mean just having good defences to keep out attackers. No matter how good your defences are, sometimes the attacker will be successful,” they wrote in a blog post.
Stuart McKenzie, managing director of Mandiant Consulting, part of Google, told Computer Weekly that two-factor authentication and passwords can be circumvented by hackers and cyber criminals.
He said hackers can duplicate a person’s mobile phone SIM and use it to intercept two-factor authentication codes, adding: “SMS-based authentication is a really weak technology.”