NCSC: passkeys are the future. The cover for banks to move has just shifted

The UK’s National Cyber Security Centre published a notably plainspoken position this week: passkeys should be the default consumer authentication method, and passwords (and the SMS-OTP scaffolding around them) should be on the way out. The supporting blog walks through the public-key cryptography under the hood and concludes that passkeys are both more secure — immune to phishing, credential stuffing, and the SIM-swap-and-OTP class of attack — and more usable, since the user experience is a Face ID, Touch ID, or Windows Hello swipe. When the UK’s lead cyber agency uses both adjectives in the same sentence, the technical argument is over.

The interesting part of the announcement isn’t the technical case. It’s what the announcement does to the regulatory arithmetic for UK financial services. Banks and insurers running SMS OTP for high-value transactions have for years been able to point at “industry practice” as a soft defence. The standard line in steering-committee minutes is some version of “passkey rollout is on the roadmap; until the regulator names a date we are aligned with peers.” From this week onwards, the lead national cyber agency has a public, unambiguous position that contradicts that defence. When the FCA, PRA, or any successor framework next reviews authentication standards, NCSC’s exact wording is the document they’ll cite. The “industry-practice” cover is gone.

For FS programmes still mid-rollout, two practical implications. First, the timetable matters more than the technology. The integration work is well-understood; the passkey libraries are mature; the pain is mostly UX, customer-comms, and back-office support flows. Plan the migration on a horizon that ends in this calendar year, not the next one. Second, work the fallback flows hard. Passkeys are the new front door; the SMS-OTP path you keep for account recovery is the new attack surface. Recovery is where the next round of attacks will land — not the front door.

The NCSC announcement isn’t telling defenders anything they didn’t know. It’s telling them they have permission, on the record, to act on what they knew already.