Passkeys UK: An Overview [2026]

1. Introduction#

In this article, we provide a concise overview of the current state of passkey implementation in the United Kingdom. Passkeys represent the next generation of secure and user-friendly authentication, moving beyond the well-known weaknesses of traditional passwords and many legacy MFA methods.

The UK is a particularly interesting market because adoption is being shaped by a rare mix of factors:

• a high-pressure fraud environment,
• strong national security guidance and
• large-scale modernization efforts across critical services.

The UK also stands out because passkeys are not only appearing through global consumer platforms but are increasingly relevant for regulated and public-facing journeys. National guidance from the National Cyber Security Centre (NCSC) has helped set expectations around phishing-resistant authentication, while government and healthcare services have begun incorporating passkey support into their sign-in experiences, accelerating public familiarity with the concept.

Economic incentives are hard to ignore. Fraud and account takeover remain persistent, and organisations are under constant pressure to reduce friction and support costs without weakening security. In that environment, passkeys are increasingly viewed as one of the few approaches that can improve security and UX at the same time.

In this article, we will address these five key questions:

1. Why are passkeys especially relevant for the UK?
2. How is the UK’s regulatory and policy landscape driving passkey adoption?
3. To what extent are financial institutions, government services, and retailers implementing passkeys?
4. What are the main challenges to scaling passkey usage nationwide and how can they be overcome?

2. Passkeys: what they are and why they matter in the UK#

Before looking at regulation, industry rollouts, and public-sector programs, it helps to align on what passkeys are and why they matter in the UK context. Passkeys are not just a “new login feature”. They are a shift in how online accounts are protected: away from shared secrets that can be stolen or replayed, toward cryptographic credentials that are designed to resist phishing and many common forms of account takeover.

2.1 Defining Passkeys#

Passkeys replace passwords with a secure, cryptographic way to sign in using your device. Instead of typing a password, users authenticate with a fingerprint, face recognition, or device PIN, and the device then uses a private key to complete the login.

Key features of passkeys include:

• Phishing-resistance by design: The credential is bound to the specific website (relying party), making classic phishing sites ineffective.
• No shared secret: There is no password stored on a server that can be leaked in a database breach.
• Device-based security: The private key is protected by the device’s secure hardware (e.g., secure enclave or TPM).
• Biometric or PIN unlock: Users authenticate with fingerprint, face recognition, or device PIN, improving both security and usability.
• Support for sync or device-bound models: Passkeys can either be synced across devices via credential managers or remain bound to a single device, depending on security and assurance requirements.

2.2 Why Passkeys matter specifically in the UK#

The UK has plenty of the same problems that are also driving passkeys globally, like phishing, password reuse, and the ongoing usability pain of logins. But what makes the UK distinct is how these pressures show up in everyday, high-trust journeys:

• banking and payments,
• citizen services, and
• healthcare.

The country’s digital infrastructure, and weaknesses in authentication translate directly into fraud, operational cost, and loss of trust in these sectors.

The Economic Context: Fraud at Scale and Credential Abuse#

The most visible driver is the scale and persistence of financial crime. UK Finance reported total losses of £1.17 billion in 2024, and the volume of unauthorised fraud incidents remains extremely high, with 3.13 million confirmed cases reported in 2024. In practice, that means organisations are not only managing large losses, but also dealing with high-frequency credential abuse, customer remediation, and the support burden that comes with fragile authentication.

Passkeys address a core part of this problem by removing reusable secrets from the login flow. When implemented well, they reduce the attack surface for phishing and credential reuse, two mechanisms that continue to underpin many common account takeover patterns.

Aligning With the UK’s Digital Identity Direction#

Passkeys also matter in the UK because sign-in modernisation is happening at citizen scale. As government and healthcare services upgrade their authentication journeys, millions of people are becoming familiar with modern, passkey-style sign-in that relies on built-in platform security rather than passwords. This growing exposure is shifting expectations toward simpler, faster, and more phishing-resistant access across other sectors.

More broadly, UK-wide identity modernization efforts, including the digital identity trust framework, make passkeys a natural building block. In the UK context, passkeys are not just a nicer login.

3. The Rollout Tracker: Who is Live? (UK)#

UK organisations are steadily adopting passkeys to improve account security, reduce fraud, and reduce reliance on passwords and SMS-based authentication. Below is a snapshot of the current UK landscape as of late 2025.

3.1 NHS Passkeys#

The NHS is one of the earliest large-scale government adopters of passkeys in the UK, integrating them into the NHS login service.

Key characteristics:

• Passkeys available via NHS login for accessing health records and services
• Designed to replace SMS-based one-time codes over time
• Uses device-bound biometrics (Face ID / fingerprint) or device PIN
• Positioned as both a security and usability upgrade for patients

NHS Login Help Centre

3.2 GOV.UK Passkeys#

The UK government has begun introducing passkeys across selected GOV.UK services as part of a broader identity modernisation programme.

Key characteristics:

• Gradual replacement of SMS OTP and email verification
• Focus on high-assurance identity journeys
• Integrated into government identity platforms rather than standalone apps
• Long-term goal to reduce knowledge-based authentication

National Cyber Security Centre Announcement

3.3 Revolut Passkeys#

Revolut was among the earliest UK fintechs to deploy passkeys at scale.

Key characteristics:

• Biometric-backed passkeys replace passwords and PINs
• Strong focus on fast, low-friction re-authentication
• Designed to reduce phishing and account takeover risk
• Integrated deeply into a mobile-first security model

Revolut Help Centre

3.4 Virgin Media Passkeys#

Virgin Media has introduced passkeys for customer account management.

Key characteristics:

• Passkeys available for online account access
• Focus on reducing password resets and support volume
• Targets phishing and account takeover attacks
• Part of a broader telecom-industry shift to FIDO-based authentication

Virgin Media Account Security

3.5 EE Passkeys#

EE (BT Group) supports passkeys for managing customer accounts online.

Key characteristics:

• Passkeys reduce reliance on passwords and SMS verification
• Integrated into BT Group’s identity infrastructure
• Designed to improve consumer security with minimal friction

EE Help & Security

3.6 British Airways Passkeys#

British Airways supports FIDO-certified authentication methods as part of its multi-factor authentication strategy.

Key characteristics:

• Supports FIDO security keys and passkey-ready hardware
• Primarily positioned as MFA rather than full password replacement
• Focused on protecting high-value loyalty and booking accounts
• Expected to evolve toward broader passkey usage

British Airways Account Security

3.7 Luno Passkeys#

The London-founded crypto exchange supports passkeys for both login and authentication hardening.

Key characteristics:

• Passkeys supported for sign-in and MFA
• Designed for high-risk financial and crypto accounts
• Reduces phishing and credential compromise
• Aligns with regulatory expectations for strong authentication

Luno Help Centre

3.8 Dext Passkeys#

Dext (formerly Receipt Bank) has deployed passkeys for its business users.

Key characteristics:

• Reduces shared-password and credential reuse risks
• Protects access to sensitive accounting and financial data
• Positioned as an upgrade to traditional MFA

Dext Security Information

3.9 123-Reg Passkeys#

123-Reg supports passkeys as a secure authentication factor for domain and hosting management.

Key characteristics:

• Offered as a strong MFA option
• Protects high-risk DNS and domain transfer actions
• Reduces reliance on SMS-based authentication

123-Reg Security Centre

3.10 ASOS Passkeys#

ASOS has been testing biometric and passkey-adjacent authentication flows, primarily on mobile.

Key characteristics:

• Partial rollout focused on mobile app experiences
• Frequently cited in regional passkey adoption directories
• Likely precursor to full FIDO2 passkey deployment
• Focus on checkout and account protection

ASOS App Security Updates

3.11 CPOMS Passkeys#

CPOMS uses passkeys to protect access to highly sensitive safeguarding and child-protection data.

Key characteristics:

• High-assurance authentication for education professionals
• Reduces risk from credential sharing
• Designed for regulated, sensitive environments

CPOMS Security Information

3.12 ePayslips Passkeys#

ePayslips has integrated passkeys to protect employee payroll and HR data.

Key characteristics:

• Secure employee access without password reuse
• Privacy-preserving authentication model
• Supports compliance-driven security requirements

ePayslips Product & Security

4. The UK Regulatory and Policy Environment is leaning towards Passkeys#

The UK does not currently mandate Passkeys outright. However, several regulatory and policy forces create a strong baseline expectation for modern authentication and, they increasingly reward phishing-resistant approaches. In practice, this means many UK organisations are being pushed to rethink logins and step-up authentication with multi factor authentication, especially where fraud risk is high (payments, account access, sensitive changes) and where user experience cannot afford constant friction.

Two drivers stand out in particular:

• National security guidance from the National Cyber Security Centre (NCSC) and
• Strong Customer Authentication (SCA) rules overseen by the Financial Conduct Authority (FCA) that shape how payments and account access are secured.

4.1 NCSC Guidance: the UK’s Expectations for phishing-resistant MFA#

For most UK organisations, the NCSC functions as the reference point for what “good” security looks like in the real world. This is especially true for authentication, where the NCSC is explicit that not all MFA methods provide the same protection. In its guidance on recommended MFA types, the NCSC highlights FIDO2 MFA aka Passkeys as offering guessing resistance, phishing resistance, and theft resistance.

That distinction matters because many widely used MFA options primarily defend against password guessing, while remaining vulnerable to modern social engineering. The NCSC’s broader MFA guidance explains why organisations should choose controls based on real attacker behaviour, rather than treating “any MFA” as automatically sufficient.

The UK’s passkey conversation is also shaped by the NCSC’s public position that passkeys are a clear step forward, while still having practical adoption challenges to solve across usability, deployment patterns, and recovery.

4.2 Strong Customer Authentication: PSD2 in the UK and FCA Enforcement#

Strong Customer Authentication (SCA) is one of the most consequential regulatory levers for authentication in the UK, because it directly affects how customers access accounts and approve many electronic payments. In the UK, SCA sits within the Payment Services Regulations framework (which implemented PSD2) and is overseen by the FCA. Although described in a UK regulatory context, these SCA requirements are substantively the same as the PSD2 SCA rules applied across all EU member states.

At a high level, SCA requires authentication based on two or more independent factors drawn from three categories:

• Knowledge: something only the user knows
• Possession: something only the user possesses
• Inherence: something the user is

This definition, including the requirement that the factors are independent (so that compromising one does not compromise the other), is captured in UK industry guidance and FAQs used by payment and banking stakeholders.

4.2.1 SCA in E-commerce Payments#

While SCA-related rules have applied in the UK since 14 September 2019, one of the most important moments for consumers and merchants was the move to full compliance for e-commerce card transactions. The FCA extended the deadline for e-commerce SCA implementation to 14 March 2022.

This timeline matters because it explains why authentication UX has become a commercial issue in the UK. SCA improves payment security, but it also introduces friction if implemented with clunky or failure-prone step-up methods. The result is that UK organisations have been actively searching for approaches that can satisfy strong authentication requirements without turning checkout and sign-in into conversion bottlenecks.

4.3 “Cyber Essentials” as practical Compliance Pressure#

Beyond regulated finance, one of the most practical factors for stronger authentication in the UK is Cyber Essentials, a widely used baseline for organisational cyber hygiene. For many companies (and especially SMEs), it’s a requirement for doing business, winning tenders, or meeting supplier due diligence expectations.

What matters for passkeys is that the Cyber Essentials requirements are explicit about where MFA should be used and how organisations should think about MFA quality. In the current requirements for IT infrastructure v3.2, MFA is positioned as a key control for protecting accounts, particularly where access is possible from the internet or where cloud services are involved. The document also notes that SMS is not the most secure MFA method and recommends using stronger alternatives where feasible.

4.4 Digital Identity Trust Framework (DIATF): What it means for Passkeys#

In parallel to One Login (UK government's unified digital identity and single sign-on system), the UK has been building the broader rulebook for digital identity ecosystems: the UK Digital Identity and Attributes Trust Framework (DIATF). This matters because passkeys become much more powerful when they can sit inside trustworthy, interoperable identity journeys, for example where services rely on verified attributes (age, right to work) and consistent assurance expectations.

A key UK-specific milestone is that the DIATF gamma version came into force on 1 December 2025 and is described as the first statutory trust framework for Digital Verification Services under the Data (Use and Access) Act 2025. This is an important “institutional signal”: the UK is formalising the governance model around it.

At a practical level, DIATF sets expectations for how different actors in the ecosystem operate, for example:

• Identity verification providers: how a person’s identity is checked and what quality controls apply
• Attribute providers: how verified attributes are handled, shared, and governed
• Wallet / holder services: how users manage credentials and recovery safely
• Interoperability and oversight: how trust is maintained across multiple providers without relying on a single central database

This framework is one reason the UK discussion about passkeys quickly moves beyond “login convenience” and into questions of assurance, recovery, and how cryptographic credentials fit into a wider digital trust architecture.

5. Financial Sector Adoption#

The UK financial sector is one of the most natural early adopters of passkeys. Few industries combine such a high fraud incentive with such strict expectations around authentication quality and user protection. At the same time, UK consumers are already used to increase security in banking, which makes the sector a practical proving ground for authentication methods that can be both stronger and simpler.

5.1 Why UK Finance is a natural early Adopter#

UK Finance’s latest figures highlight fraud at national scale, and the attack volume remains extremely high. That makes authentication quality a front-line control for UK financial services, not a back-office detail.

A few UK-specific patterns make authentication quality especially important:

• Remote purchase fraud remains a major loss category, reaching £399.6 million in 2024.
• The industry prevented £1.45 billion of unauthorized fraud, described as the equivalent of 67p in every £1 attempted being stopped without a loss occurring.
• Telephone banking fraud is still heavily driven by social engineering, and UK Finance explicitly notes social engineering as the main driver in this category.

Against this backdrop, passkeys are compelling because they make classic phishing and credential replay materially harder. That is directly aligned with the fraud mechanisms the UK is seeing at scale.

5.2 Neobanks and digital-first banks: UX-led rollout#

5.2.1 Revolut’s Passkey Strategy in the Context of UK Expansion#

UK digital-first banks and fintechs tend to move earlier because they can iterate quickly and because their customers often live in mobile-first flows already. Revolut is a well-known example: it has rolled out passkeys for Personal and Business accounts, positioning passkeys as a practical alternative to passwords in day-to-day sign-in.

This is also happening in a broader context of Revolut’s UK expansion. Revolut announced it received a UK banking licence with restrictions on 25 July 2024 and entered the PRA “mobilisation” stage. That matters because passkeys fit naturally into the direction of travel for a challenger bank that wants to scale digital trust while keeping sign-in friction low.

5.2.2 Wise’s Passkey Model for Secure Account Actions#

A second UK-relevant example is Wise. Wise documents how users can set up and manage passkeys and states that once set up, passkeys become the default 2-step verification method for the account. This is a strong pattern for finance: passkeys are not only a “login convenience feature”, but they can also become the default step-up method for sensitive actions.

5.3 Incumbent banks: scaling passkeys safely#

For large incumbent banks, the opportunity is enormous, but so is the complexity. Most high street banks already operate mature device-based security models, including security codes and dedicated “secure key” style approaches in digital banking. HSBC, for example, documents its use of a Digital Secure Key and security codes as an extra layer for online banking transactions.

That existing posture shapes how passkeys enter the picture. In practice, incumbents tend to evaluate passkeys through questions like:

• How to introduce passkeys without disrupting established risk controls and customer journeys
• How to support a transition period where multiple sign-in methods must coexist
• How to avoid shifting risk from login to weaker recovery paths (a recurring theme in national guidance, and a practical concern for banks)

This is why, in the UK, financial passkey adoption is best understood as a multi-stage transition. Neobanks can move fast, while incumbents are usually optimising for a safe migration at national scale.

5.4 Payment Providers and Fintech Infrastructure#

Payment providers play an outsized role in making passkeys real for consumers, because they cover login, checkout, and account security. A particularly clear UK milestone was PayPal’s expansion of passkeys to users in the UK on 27 June 2023.

This matters for the UK market for two reasons:

1. It increases public familiarity with passkeys outside of tech-native contexts.
2. It reinforces the idea that passkeys can reduce friction in high-frequency, high-risk flows, which is exactly the pressure point for payments.

Alongside these brands, fintech platforms like Wise contribute to normalizing passkeys as part of a modern security baseline, especially when passkeys become the default method for step-up verification.

6. Government and public Services: Passkeys for citizens#

In the UK, public services are doing something uniquely powerful for passkey adoption: they are teaching passkeys at scale. When millions of people encounter passkeys in government and healthcare journeys, passkeys stop feeling like a “tech feature” and start feeling like a normal way to sign in. The result is a flywheel: familiarity increases, expectations rise, and private-sector rollouts face less user friction.

6.1 GOV.UK One Login: Moving away from passwords#

GOV.UK One Login is designed to be the single way for people to sign in and prove their identity when using government services online. As of January 2026, GDS stated that over 13 million people have used it to access more than 120 services.

What makes this especially relevant for passkeys is that One Login has publicly put Passkeys on its roadmap as a sign-in capability, describing the goal as letting users sign in with a biometric fingerprint or face scan instead of entering a password. This is a strong signal that passkeys are being treated as a first-class authentication method for citizen-scale services, not just an optional add-on.

A major milestone for national adoption is the integration of high-volume services. On 9 February 2026, HMRC announced that new customers registering for HMRC digital services can sign up using GOV.UK One Login, creating an account with an email address and password rather than a 10–12 digit Government Gateway ID. HMRC also frames One Login as the future single way to access government services online, from tax to passports to voter registration.

GDS also emphasizes that trust and privacy are foundational, including that only minimum necessary data is collected and that there is no central database linking user information across government. This is part of why passkeys are such a natural fit for public services: the authentication method can improve phishing resistance without requiring citizens to manage more secrets or security codes.

6.2 NHS Login: Passkeys in Healthcare at Scale#

Healthcare access is one of the clearest examples of why the UK’s passkey story is not just about convenience. NHS Login explicitly positions passkeys as a secure alternative to passwords and states that passkeys provide the strongest protection against phishing and hacking attempts.

From a rollout perspective, the NHS Login help centre is also a good example for what passkey support at scale looks like in practice:

• NHS Login tells users they can log in using fingerprint, face, PIN, passcode, or pattern, depending on how they unlock their device.
• It explicitly supports multi-device patterns, noting that users can have multiple passkeys set up on different devices.
• It documents cross-device setup via QR codes and supports Windows flows via Windows Hello or an external security key.
• It also makes a clear privacy statement: the passkey is stored on the user’s device and cannot be seen or accessed by NHS login.

This combination (clear user guidance, multi-device support, and explicit recovery information) is exactly what makes public-sector passkey deployments so influential. They teach users what passkeys are and what to expect, and they set a usability baseline other services need to match.

6.3 Inclusivity and Accessibility Requirements#

Government and healthcare authentication must work for everyone, including people with older devices, limited digital confidence, or accessibility needs. That requirement shapes how passkeys are introduced in the UK: typically as an upgrade path, not as an immediate hard requirement.

You can see this in the focus on support and fallback mechanisms:

• The GOV.UK One Login roadmap includes a back up two-factor authentication method and flexible management of two-factor methods.
• HMRC’s announcement also points users who need extra help to contact support for assistance with their GOV.UK One Login.
• NHS Login explains device loss scenarios and notes that users can still log in using another device with a passkey, or use a password if they do not have another passkey set up.

The practical takeaway is that UK public services are building passkeys into systems that must remain resilient under real-world constraints: device churn, lost phones, shared devices, accessibility needs, and a wide range of user capabilities. That forces careful design around recovery, support, and safe fallbacks, which is often where weaker passkey implementations in other sectors struggle.

7. What UK institutions and experts are signalling#

In the UK, passkey adoption is being pulled forward by institutions that each apply pressure from a different angle: security doctrine, fraud economics, payments compliance, and trust requirements. Together, they are converging on the same practical outcome: phishing-resistant authentication is becoming the default expectation for high-trust journeys.

NCSC sets the quality bar for authentication: The NCSC has made one point especially clear: not all MFA is equal, and phishing resistance is the differentiator that matters in real attacks. That framing gives security teams a strong basis to prioritise FIDO2-style approaches and to treat recovery and rollout design as part of the security model, not an afterthought.

UK Finance makes the business case impossible to ignore: Fraud is described as a societal-scale problem, not a niche security issue. That makes authentication improvements a board-level topic in many financial institutions, and it’s why solutions that reduce phishing and account takeover without adding friction keep gaining momentum.

FCA turned authentication UX into a compliance constraint: SCA pushed strong authentication deeper into everyday customer journeys, especially in payments and checkout. The implication is simple: if security controls create drop-off or failure loops, they become commercially painful. That naturally increases appetite for approaches that are both strong and low-friction.

Ofcom raises the bar for trustworthy user journeys: As online safety and age assurance requirements grow, services need signals that are robust and usable for real people. This doesn’t mandate passkeys directly, but it reinforces the broader direction: higher-trust digital interactions need better primitives, and phishing-resistant authentication is one of them.

Taken together, the UK’s direction of travel is clear. The remaining differentiator will be execution: consistent UX, inclusive support, and recovery paths that do not quietly reintroduce the same old weaknesses.

8. Conclusion: The UK at a Tipping Point for Passkey Adoption#

The UK’s transition toward passkeys is no longer hypothetical: persistent fraud pressure, increasingly explicit expectations for phishing-resistant authentication, and government-scale sign-in modernization are combining to make passkeys a mainstream priority across sectors.

1. What are passkeys and why do they matter for the UK? Passkeys replace reusable secrets with phishing-resistant cryptographic credentials, which is crucial in the UK where authentication underpins high-trust journeys across banking, government, and healthcare.
2. How is regulation and policy pushing change? UK institutions are steadily raising the baseline toward phishing-resistant authentication, making stronger, simpler sign-in methods the practical destination for regulated and citizen-facing services.
3. How far has implementation progressed across sectors? Passkeys are already visible at national scale through public-sector platforms and are being reinforced by adoption in finance and large consumer services.
4. What challenges remain to scale passkeys nationwide? The biggest blockers are execution details, especially inconsistent UX and weak recovery flows that can quietly undermine phishing-resistant login.