英国网络安全负责人表示是时候放弃密码，改用 Passkeys——它们是什么？

Source: BBC Technology

请提供您希望翻译的具体内容，我将为您翻译成简体中文。

UK urged to ditch passwords for passkeys

People in the UK have been urged to start ditching passwords in favour of passkeys, where available, as a way to secure their accounts online.

Passwords have long been the default way many people set up and log in to accounts for digital services. However, the National Cyber Security Centre (NCSC) said on Thursday it was “overhauling decades of security practice” to instead recommend passkeys as the most secure option.

Platforms including Apple, Google and X already let people use them instead of passwords, but what are passkeys, and how do they work?

Against a backdrop of rising data breaches, the NCSC has also repeated warnings against reusing the same password for different sites. Password managers and multi‑factor authentication (MFA) methods have grown in usage as a way to help strengthen and save log‑in credentials.

The NCSC believes passkeys may be less vulnerable to hacks and human error, but some experts say they are still “not a silver bullet”. Like passwords, passkeys are a form of authentication to make sure it is you trying to access an account. But unlike passwords, they do not require you to remember a code or combination of letters, numbers and symbols.

Passkeys are a piece of digital information which is tied to a user’s account and unique to each site or app they use. They use cryptography to perform checks at device‑level and usually work alongside tech already baked into devices like smartphones, such as Face ID and Touch ID on iPhones, and Face Unlock on Google Pixel phones.

Google and iPhone‑maker Apple are among operating system developers offering them as an alternative way users can sign into accounts. According to the NCSC, passkeys can offer more protection because they are unique to each website you register to use them with, and there is no secret bit of information shared.

The NCSC’s director for national resilience Jonathan Ellison called them “a user‑friendly alternative which provide stronger overall resilience”. He added they could also help relieve “the headaches that remembering passwords have caused us for decades”.

它们是如何工作的？

Passkeys 通过一种称为公钥密码学的技术实现。

“与其让你创建并记住共享的秘密（比如密码），你的设备会生成一对安全密钥——一部分保留在你的设备上，另一部分存放在你登录的服务端，” BCS（特许信息技术协会）的 Daniel Card 说。

该过程通常涉及你解锁设备时所做的操作——例如使用内置的生物识别传感器扫描指纹或面部，或使用 PIN 码。仅交换你已完成验证的事实——而不是具体信息本身。

“这些物理安全密钥完全抵御钓鱼攻击，且无法被远程攻击者拦截或窃取，这意味着只有密钥持有者才能访问其账户，” 网络安全公司 Yubico 的地区总监 Niall McConachie 说。

“不是灵丹妙药”

NCSC（英国国家网络安全中心）和许多网络安全专家认为，密码密钥（passkeys）至少与多因素认证（MFA）方法一样安全，甚至更安全，例如将强密码与检查相结合，以确保是你在另一台设备上尝试登录账户。但Card（卡德）指出，正如其他人之前所说，密码密钥“并非灵丹妙药”。

丢失设备或完全失去对设备的访问也会使配置密码密钥变得棘手。NCSC 表示，过去并未倡导转向使用它们，原因是“实施挑战”，例如采用速度缓慢和支持不完善。许多平台仍然不允许用户使用密码密钥来替代或与密码一起使用。

在不支持密码密钥的情况下，NCSC 建议使用密码管理器来创建强密码，并采用多种认证方式。

根据 FIDO Alliance，这是一个推动密码密钥以实现“无密码未来”的行业协会，该技术目前已在所有主要操作系统、互联网浏览器以及第三方提供商中得到支持。McConachie 表示，对密码密钥的支持日益增长——包括去年英国政府在数字服务中采用它们——表明“这不仅仅是一个小众趋势”。

“从密码转向密码管理器、基于应用的 MFA，如今再到密码密钥，是降低风险的跨越式变化，” Card 补充道。 “这就是像 NCSC 这样的组织支持它们的原因，也正是安全社区中许多人在任何可用的地方已经采用它们的原因。”