For years, passwords have been treated as the first line of defence in cybersecurity. Yet despite increasingly complex password policies and multi-factor authentication (MFA) requirements, password-related breaches continue to dominate the threat landscape, with phishing and stolen credentials remaining common attack methods. As cybercriminals increasingly target user identities rather than infrastructure, organisations are beginning to rethink how users authenticate. The UK’s National Cyber Security Centre (NCSC) is among those encouraging organisations to move towards passkeys as the future of authentication. Here, Martin Wegrostek, Cyber Security Portfolio Manager, explains why.
According to Microsoft’s Digital Defense Report 2024, cyberattacks have increased to approximately 7,000 password attacks per second, while identity-based cyberattacks now account for nearly 80 per cent of breaches. The figures highlight how cybercriminals continue to exploit weak, stolen and reused credentials as one of the easiest ways to gain access to corporate systems.
As organisations look for more phishing-resistant alternatives to traditional passwords, passkeys are increasingly emerging as a practical solution. As the NCSC explains, passkeys “only require user approval rather than needing to input a password”, making them “quicker and easier to use and harder for cyber attackers to compromise”. As a result, passkeys are increasingly being viewed as an important step towards strengthening identity protection and reducing password-related risk.
A passkey is a cryptographic credential tied to a specific device and verified through something the user already does naturally: a fingerprint scan, a face recognition check or a device PIN. When a user authenticates with a passkey, a private key stored securely on their device signs a challenge from the server, without that key ever leaving the device. There is no shared secret to steal or phish.
The NCSC's new technical report confirms that passkeys are “at least as secure as, and generally more secure than, pairing the strongest password with two-step verification (2SV)”. Critically, the NCSC found that passkeys are highly resistant to phishing attacks and cannot be intercepted, reused or guessed in the way that passwords can.
They also dramatically improve the user experience. Passkey logins can be completed significantly faster than the traditional username, password and verification code workflow. This removes the traditional trade-off between security and convenience.
The growing adoption of passkeys also aligns closely with frameworks like Cyber Essentials, which place increasing emphasis on access control, authentication integrity and protection against common attack techniques. While passkeys are not currently mandated within the certification itself, they directly support many of its underlying security principles by reducing organisational exposure to credential theft, and account compromise.
For organisations pursuing Cyber Essentials or Cyber Essentials Plus, identity security is becoming increasingly crucial as threat actors continue to target authentication layers rather than attempting to breach infrastructure directly. Traditional password policies and MFA remain important controls, but they still rely heavily on user behaviour and can be undermined through phishing or credential reuse.
While MFA remains an important layer of defence, it is no longer enough on its own to prevent identity compromise. Attackers have adapted their techniques to target authentication workflows through phishing and social engineering, prompting organisations to look beyond passwords and traditional MFA towards more phishing-resistant methods of authentication.
This becomes particularly significant within hybrid and cloud-centric environments, where identities increasingly act as the gateway to critical systems and applications. In these environments, passkeys offer a more phishing-resistant authentication model that strengthens cyber resilience while supporting a more mature and forward-looking approach to governance and identity assurance.
Passwords are unlikely to disappear entirely overnight, particularly as many organisations continue to operate legacy systems and mixed authentication environments. However, the way organisations approach authentication is changing. As identity-based attacks continue to rise and phishing techniques become more sophisticated, reducing reliance on passwords is becoming an increasingly important part of strengthening cyber resilience.
Passkeys reflect a wider shift towards phishing-resistant authentication and a more resilient security posture built around today's threat landscape. For organisations looking to strengthen identity protection, adopting passkeys represents an opportunity to reduce credential-related risk while preparing for the next generation of authentication.
To learn more about strengthening identity protection and building a more resilient cybersecurity strategy, visit https://www.oryxalign.com/cyber or fill in the form below and we’ll be in touch.