For years, passwords have been the weakest link in cybersecurity.

Not because they’re inherently flawed, but because humans are.

We reuse them.
We make them predictable.
We fall for phishing.

And attackers have become exceptionally good at exploiting all three.

Now, GCHQ, through the UK’s National Cyber Security Centre (NCSC) is signalling something significant:

It’s time to move beyond passwords.

Why Passwords Are No Longer Fit for Purpose

The threat landscape has changed dramatically.

Credential-based attacks remain one of the most common initial access methods. Phishing kits, infostealer malware, and credential stuffing tools are now widely available and increasingly automated.

Add AI into the mix, and the speed and scale of these attacks increases again.

Attackers don’t need to “hack” systems in the traditional sense anymore.
They just log in.

Enter Passkeys

Passkeys are being positioned as the successor to passwords and for good reason.

Instead of relying on something you know (a password), passkeys rely on something you have (your device) and something you are (biometrics like fingerprint or face recognition).

Behind the scenes, this uses public key cryptography:

• A private key stays securely on your device
• A public key is stored by the service
• Authentication happens without ever transmitting a reusable secret

That means:

• No password to steal
• No credential to phish
• No database of passwords to breach

Why This Matters for Organisations

This isn’t just a consumer convenience shift - it’s a security control evolution.

From a CISO perspective, passkeys directly address several long-standing risks:

• Phishing resistance - attackers can’t trick users into handing over credentials that don’t exist
• Credential reuse elimination - no shared secrets across systems
• Reduced attack surface - no password databases to compromise

But the bigger story is this:

Identity is becoming the primary security perimeter.

And anything that strengthens authentication without relying on user behaviour is a major step forward.

The Catch: It’s Not a Silver Bullet

Before we declare passwords dead, there are realities to consider:

• Adoption is uneven - not all platforms support passkeys yet
• Device dependency - what happens when users lose access to their device?
• Enterprise integration - legacy systems still rely heavily on traditional authentication

And importantly:

Attackers will adapt.

If credentials disappear, focus shifts elsewhere - session hijacking, device compromise, social engineering at a different layer.

What Should Security Leaders Do Now?

This is not a “rip and replace” moment, but it is a direction of travel.

Practical steps:

• Start introducing passkeys where supported (especially for high-risk accounts)
• Align with passwordless strategies already emerging in identity platforms
• Review authentication flows for phishing resistance—not just complexity
• Educate users on the shift (this is a behavioural as well as technical change)

The Bigger Picture

GCHQ’s message isn’t just about passkeys.

It’s about recognising that the traditional model of shared secrets is fundamentally broken at scale.

And in a world where attackers are faster, more automated, and increasingly AI-enabled…

Security controls that rely on users “doing the right thing” are no longer enough.

‍