Government to roll out passkey technology across digital services as an alternative to SMS-based verification.

Government to roll out passkey technology across digital services as an alternative to SMS-based verification.
Arkadiusz Wargula via Getty Images
Government set to roll out passkey technology across digital services later this year.
SMS-based verification to be replaced by more secure, cost-effective solution.
NCSC joins FIDO Alliance to shape international passkey standards.
The UK government is set to roll out passkey technology for its digital services later this year as an alternative to the current SMS-based verification system, offering a more secure and cost-effective solution that could save several million pounds annually.

Announced on the first day of the government’s flagship cyber security event, CYBERUK, the move to implement passkey technology for the government’s GOV.UK services marks a major step forward in strengthening the nation’s digital security.

Passkeys are unique digital keys that are today tied to specific devices, such as a phone or a laptop, that help users log in safely without needing an additional text message or other code. When a user logs in to a website or app, their device uses this digital key to prove the user’s identity without needing to send a code to a secondary device or to receive user input.

This method is more secure because the key remains stored on the device and cannot be easily intercepted or stolen, making them phishing-resistant by design. As a result, even if someone attempts to steal a password or intercept a code, they would be unable to gain access without the physical device that contains the passkey.

The NCSC considers passkey adoption as vital for transforming cyber resilience at a national scale, and the UK is already leading internationally with the NHS becoming one of the first government organisations in the world to offer passkeys to users.

In addition to enhanced security and cost savings, passkeys offer users a faster login experience, saving approximately one minute per login when compared to entering a username, password, and SMS code.

Following news of cyber incidents impacting UK retailers, the NCSC can confirm it is working with organisations affected.

NCSC CEO Dr Richard Horne said:

“The disruption caused by the recent incidents impacting the retail sector are naturally a cause for concern to those businesses affected, their customers and the public.

“The NCSC continues to work closely with organisations that have reported incidents to us to fully understand the nature of these attacks and to provide expert advice to the wider sector based on the threat picture.

“These incidents should act as a wake-up call to all organisations. I urge leaders to follow the advice on the NCSC website to ensure they have appropriate measures in place to help prevent attacks and respond and recover effectively.”

The individuals operating under the DragonForce banner and attacking UK high street retailers are using social engineering for entry. I think it’s in the public interest to break down what is happening.

The attacks on Marks and Spencer, Co-op and Harrods are linked. DragonForce’s lovely PR team claim more are to come.

Defenders should urgently make sure they have read the CISA briefs on Scattered Spider and LAPSUS$ as it’s a repeat of the 2022–2023 activity which saw breaches at Nvidia, Samsung, Rockstar and Microsoft amongst many others. More info below.

I am not saying it is Scatter Spider; Scattered Spider has become a dumping ground for e-crime groups anyway. The point is they — the threat actor — are entering using the front door, via the helpdesk to get MFA access — those are very good guides from defenders about what to do, links below.

Source: Cybersecurity and Infrastructure Security Agency
DragonForce is a white label cartel operation housing anybody who wants to do e-crime. Some of them are pretty good at e-crime.

While organisations are away at RSA thinking about quantum AI cyber mega threats — the harsh reality is most organisations do not have the foundations in place to do be worrying about those kind of things. Generative AI is porn for execs and growth investment — threat actors are very aware that now is the time to launch attacks, not with GenAI, but foundational issues. Because nobody is paying attention.

Once they get access, they are living off the land — using Teams, Office search to find documentation, the works. Forget APTs, now you have the real threat: Advanced Persistent Teenagers, who have realised the way to evade most large cyber programmes is to cosplay as employees. Last time this happened, the MET Police ended up arresting a few under-18 UK nationals causing incidents to largely drop off.

Some Marks & Spencer (M&S) stores have been left with empty food shelves as the retailer continues to struggle with a cyber attack affecting its operations.

Online orders have been paused on the company's website and app since Friday, following problems with contactless pay and Click & collect over the Easter weekend.

The BBC understands food availability should be back to normal by the end of the week.

Meanwhile, security experts say a cyber crime group calling itself DragonForce is behind the mayhem.

Google intelligence report finds UK is a particular target of IT worker ploy that sends wages to Kim Jong Un’s state

British companies are being urged to carry out job interviews for IT workers on video or in person to head off the threat of giving jobs to fake North Korean employees.

The warning was made after analysts said that the UK had become a prime target for hoax IT workers deployed by the Democratic People’s Republic of Korea. They are typically hired to work remotely, enabling them to escape detection and send their wages to Kim Jong-un’s state.

Google said in a report this month that a case uncovered last year involved a single North Korean worker deploying at least 12 personae across Europe and the US. The IT worker was seeking jobs within the defence industry and government sectors. Under a new tactic, the bogus IT professionals have been threatening to release sensitive company data after being fired.

The firm has stopped taking orders on its website and apps, including for food and clothes.
Marks & Spencer (M&S) says it has stopped taking online orders as the company struggles to recover from a cyber attack.

Customers began reporting problems last weekend, and on Tuesday the retailer confirmed it was facing a "cyber incident".

Now, M&S has entirely paused orders on its website and apps - including for food deliveries and clothes - and says it will refund orders placed by customers on Friday.

The firm's shares fell by 5% following the announcement, before recovering.

Online orders remained paused on Saturday morning.

"We are truly sorry for this inconvenience," the retailer wrote in a post on X.

"Our experienced team - supported by leading cyber experts - is working extremely hard to restart online and app shopping.

"We are incredibly grateful to our customers, colleagues and partners for their understanding and support."

In a sanctions package including more than 150 new measures, the British government said it was closing loopholes being exploited by the Kremlin.

Two spyware variants – Moonshine and BadBazaar – are being used to target the mobile devices of persons of interest to Chinese intelligence, including individuals in the Taiwanese, Tibetan and Uyghur communities.

Just days after reporting on the Samsung Tickets data breach, another massive leak has surfaced, this time targeting Royal Mail Group, a British institution with over 500 years of history.

On April 2, 2025, a threat actor known as “GHNA” posted on BreachForums, announcing the release of 144GB of data stolen from Royal Mail Group. The breach, once again facilitated through Spectos, a third-party service provider, exposes personally identifiable information (PII) of customers, confidential documents, internal Zoom meeting video recordings, delivery location datasets, a WordPress SQL database for mailagents.uk, Mailchimp mailing lists, and more.

The prolific Medusa ransomware group claims to have stolen troves of data from HCRG, including patients’ sensitive health data

A threat actor has infected the website of Casio UK and 16 other victims with a web skimmer that altered the payment flow to harvest and exfiltrate visitors’ information, web security provider Jscrambler reports.

Now we’re in 2025, a lot more services are offering passkeys as a replacement for passwords and the NCSC believes they are the future of modern authentication. However, there are still some significant bumps in the road ahead. Here we set out the case for mass adoption of passkeys and outline the remaining issues which are hindering their widespread implementation. The NCSC will work alongside industry to help resolve these problems and help to get passkeys over the line.

Prohibition would bring the NHS, schools and local councils into line with government departments

Nominet, the U.K. domain registry that maintains .co.uk domains, has experienced a cybersecurity incident that it confirmed is linked to the recent

U.K. investigators tell the story of how examining a cybercrime group's extortion funds helped to unravel a money-laundering network reaching from the illegal drug trade to Moscow's elite.

Two NHS trusts in England have been hacked in recent weeks, the latest attacks to hit the national health service.

Major UK healthcare provider Wirral University Teaching Hospital (WUTH), part of the NHS Foundation Trust, has suffered a cyberattack that caused a systems outage leading to postponing appointments and scheduled procedures.

A record number of cyber incidents impacted Britain’s critical drinking water supplies this year without being publicly disclosed, according to information obtained by Recorded Future News.

The exact nature of these incidents is unclear, and they may include operational failures as well as attacks. Under British cybersecurity laws — known as the NIS Regulations — critical infrastructure companies are required to report “significant incidents” to the government within three days or face a fine of up to £17 million ($21 million).

Microlise, a telematics company, said a network intrusion affected services that it provides to British prisoner escort vans.

Discover recent attacks using Lynx ransomware, a rebrand of INC, targeting multiple crucial sectors in the U.S. and UK with prevalent double-extortion tactics. Discover recent attacks using Lynx ransomware, a rebrand of INC, targeting multiple crucial sectors in the U.S. and UK with prevalent double-extortion tactics.