Passkeys Set to Protect GOV.UK Accounts Against Cyber-Attacks

The UK government has unveiled plans to roll out passkeys across its digital services as it seeks to reduce the risk of hacks to people’s GOV.UK accounts.
The aim is for passkeys to replace the current SMS-based two-factor verification system across these accounts by the end of 2025, the government revealed in an announcement during the CYBERUK 2025 conference in Manchester, UK.
GOV.UK services cover a range of critical areas, including benefit claims, childcare support and tax credits.
Cybercriminals have become adept at bypassing common authentication methods, including intercepting codes sent via SMS using techniques such as adversary-in-the-middle phishing kits.
Passkeys are cryptographic credentials tied to a user’s account on a website or application, with sign-in enabled by a biometric sensor, such as fingerprint or facial recognition.
A private key is stored on the device and used to create cryptographic authentication signatures. A public key is given to the server to store to verify the cryptographic authentication signatures.
Passkeys are much harder to phish than passwords as they work only on their registered websites and apps. Therefore, a user cannot be tricked into authenticating on a deceptive site because the browser or operating system handles verification.
The announcement is also designed to reduce costs and friction for online users of government services, as there will no longer be a need to send a code to a secondary device or receive user input.
It is estimated that passkeys save approximately one minute per login when compared to entering a username, password and SMS code.
During a keynote address at the 2025 CYBERUK event, Chancellor of the Duchy of Lancaster, Pat McFadden, emphasized the UK government’s commitment to strengthening cybersecurity across all its systems.
“I can’t stand here this morning and tell you that government systems are bomb-proof. That’s not the case. We have new systems built on top of legacy systems and we’re doing everything in our power to modernize and upgrade these core systems,” he noted.
Read now: Third of Online Users Hit by Account Hacks Due to Weak Passwords
NCSC Encourages UK-Wide Passwordless Adoption
Accompanying the announcement, the National Cyber Security Centre (NCSC) revealed it is developing passkey support for its own myNCSC platform, with availability expected later this year.
Additionally, the Department for Science, Innovation and Technology (DSIT) said it will be releasing guidance to formally recognize passkeys as suitable for most authentication scenarios. This recognition will pave the way for wider adoption across UK governments systems and services.
The UK’s National Health Service (NHS) has already rolled out passkeys for user accounts across its digital services.
AI and Digital Government Minister, Feryal Clark, commented: “This shift will not only save users valuable time when interacting with government online, but it will reduce fraud and phishing risks that damage our economic growth.”
NCSC Chief Technical Officer, Ollie Whitehouse, urged all UK organizations to develop strategies to move beyond traditional password and multi-factor authentication (MFA) solutions, stating they protect against common cyber threats such as phishing and credential stuffing.
“We strongly advise all organizations to implement passkeys wherever possible to enhance security, provide users with faster, frictionless logins and to save significant costs on SMS authentication,” he said.
The UK government also announced it had joined the FIDO Alliance, an open industry association dedicated to shaping password-free authentication.
This move will enable the government to play an active role in the evolution of passkey standards.