Multi-factor & Risk-based Authentication,
Security Operations
NCSC Advocates for FIDO Authentication Over SMS Verification in the UK
The U.K. government is preparing to phase out SMS-based verification systems for digital services, replacing them with passkey technology in an effort to enhance cybersecurity measures. This transition, spearheaded by the U.K. National Cybersecurity Centre (NCSC), aims to utilize the Fast IDentity Online (FIDO) standard for improved security and efficiency.
The NCSC emphasizes the importance of passkeys in bolstering national cyber resilience, citing benefits that include enhanced security, cost efficiency, and a streamlined user experience. An NCSC statement noted that passkeys could reduce login time by nearly one minute compared to traditional methods involving usernames, passwords, and SMS codes.
The initiative is set to commence later this year, enabling users to log into the U.K. government’s services using passkeys. This announcement was made by NCSC CTO Ollie Whitehouse during the CyberUK conference, underscoring the urgency of this transformation in securing digital interactions.
Designed for seamless integration into smartphones and computers, passkeys eliminate the reliance on SMS-based verification, allowing users to verify their identities effortlessly. The NCSC has emphasized the security advantages of passkeys, which are stored locally on devices, rendering them resistant to interception and phishing attacks.
In the event a device is compromised, the data remains encrypted on government servers, thus mitigating risks associated with stolen devices. According to statements made at CyberUK, the security of the passkey is preserved as users are required to authenticate their devices for access.
The transition to passkeys could reflect a broader trend in cybersecurity, particularly relevant for U.S.-based business owners who recognize the vulnerabilities associated with traditional authentication methods. The methodologies leveraged in this transition are relevant to the MITRE ATT&CK framework, particularly in the domains of initial access, credential access, and exploitation of vulnerabilities related to outdated verification systems.
As businesses evaluate their cybersecurity strategies, the U.K.’s approach offers a compelling case study in adapting to emerging threats while ensuring user-friendly access to services. The integration of passkey technology serves as an important reminder of the evolving landscape of cybersecurity and the necessity for robust authentication solutions.
