Why passkeys are becoming essential for modern cybersecurity

For years, passwords have been treated as the first line of defence in cybersecurity. Yet despite increasingly complex password policies and multi-factor authentication (MFA) requirements, password-related breaches continue to dominate the threat landscape, with phishing and stolen credentials remaining common attack methods. As a result, the conversation around digital identity is changing, with the UK's National Cyber Security Centre (NCSC) encouraging organisations to move towards passkeys as the future of authentication. Here, Martin Wegrostek, Cyber Security Portfolio Manager at managed IT specialist OryxAlign explains why.

According to Microsoft's Digital Defence Report 2024, cyberattacks have increased to approximately 7,000 password attacks per second, while identity-based cyberattacks now account for nearly 80 per cent of breaches. The figures highlight how cybercriminals continue to exploit weak, stolen and reused credentials as one of the easiest ways to gain access to corporate systems.

As organisations look for more phishing-resistant alternatives to traditional passwords, passkeys are increasingly emerging as a practical solution. As the NCSC explains, passkeys "only require user approval rather than needing to input a password", making them "quicker and easier to use and harder for cyber attackers to compromise". As a result, passkeys are increasingly being viewed as an important step towards strengthening identity protection and reducing password-related risk.

No password, no problem

A passkey is a cryptographic credential tied to a specific device and verified through something the user already does naturally: a fingerprint scan, a face recognition check or a device PIN. When a user authenticates with a passkey, a private key stored securely on their device signs a challenge from the server, without that key ever leaving the device. There is no shared secret to steal or phish.

The NCSC's new technical report confirms that passkeys are "at least as secure as, and generally more secure than, pairing the strongest password with two-step verification (2SV)". Critically, the NCSC found that passkeys are highly resistant to phishing attacks and cannot be intercepted, reused or guessed in the way that passwords can. 

They also dramatically improve the user experience. Passkey logins can be completed significantly faster than the traditional username, password and verification code workflow. This removes the traditional trade-off between security and convenience.

Raising the Cyber Essentials baseline

The growing adoption of passkeys also aligns closely with frameworks like Cyber Essentials, which place increasing emphasis on access control, authentication integrity and protection against common attack techniques. While passkeys are not currently mandated within the certification itself, they directly support many of its underlying security principles by reducing organisational exposure to credential theft, and account compromise.

For organisations pursuing Cyber Essentials or Cyber Essentials Plus, identity security is becoming increasingly crucial as threat actors continue to target authentication layers rather than attempting to breach infrastructure directly. Traditional password policies and MFA remain important controls, but they still rely heavily on user behaviour and can be undermined through phishing or credential reuse. 

Many organisations still treat MFA as the end goal for identity security, when in reality attackers have already adapted their tactics around it. Security teams are therefore placing greater emphasis on limiting exposure to authentication methods vulnerable to credential compromise and social engineering.

This becomes particularly significant within hybrid and cloud-centric environments, where identities increasingly act as the gateway to critical systems and applications. In these environments, passkeys offer a more phishing-resistant authentication model that strengthens cyber resilience while supporting a more mature and forward-looking approach to governance and identity assurance.

The end of the password era

Passwords are unlikely to disappear entirely overnight, particularly as many organisations continue to operate legacy systems and mixed authentication environments. However, the direction of travel is becoming increasingly clear. As identity-based attacks continue to rise and phishing techniques become more sophisticated, organisations are being forced to reconsider whether traditional passwords remain fit for purpose as a primary security control.

Passkeys reflect a wider shift towards phishing-resistant authentication and a more resilient security posture built around today's threat landscape. For organisations serious about cyber resilience, moving beyond passwords is rapidly becoming a strategic priority, one that compliance pressures and the growing frequency of credential-based attacks are only accelerating.

To learn more about strengthening identity protection and building a more resilient cybersecurity strategy, visit www.oryxalign.com.