Last week the NCSC took a position it had been carefully avoiding for years: passkeys, not passwords, should now be the default way to log into online services. We unpack what changed in the April 2026 guidance, why it lines up so neatly with Cyber Essentials Danzell, the 2025/2026 breaches survey and the M&S supplier story - and the four things UK schools, charities and smaller businesses should actually do in the next ninety days.
Key takeaways
On 22 April 2026 the NCSC formally recommended passkeys over passwords for the first time. It had stopped short of doing so in 2025 because of unresolved recovery and portability questions; it has now decided industry has closed the gap.
A passkey is a public/private key pair held on the user's device. The private key is never transmitted, which closes off phishing, credential stuffing and reuse from password breaches - the attacks that drive most UK breach reports.
This lands at the same moment as Cyber Essentials Danzell (now mandatory and explicitly nudging towards passwordless authentication) and the 2025/2026 Cyber Security Breaches Survey (phishing still the most common attack at 38% of businesses and 25% of charities).
Passkeys also remove the helpdesk-reset attack route that took down M&S, Co-op and Harrods. A device-bound or vendor-account-recovered credential cannot be reset to 'the new one I'll just tell you over the phone'.
A realistic 90-day plan: turn on passkeys in your identity provider in the next two weeks; enrol your highest-risk accounts on passkeys with a hardware backup in the next four; write a user guide and recovery process in the next eight; retire passwords on at least one tier-one service in the next twelve; then run the same exercise across your supplier list.
At CYBERUK 2026 in Glasgow last week, the National Cyber Security Centre quietly buried a piece of advice it had been giving for the better part of two decades. In a new technical note and an accompanying blog post on 22 April, the NCSC said that passkeys, not passwords, should now be the default way to log into online services, both for individuals and for the businesses that serve them. The agency had stopped short of that recommendation in 2025 because of unresolved questions around account recovery and cross-platform portability; over the last year it has decided industry has closed the gap enough to make passkeys the standard advice rather than the cautious option.
This is a bigger shift than the headline suggests, and it lands in a fairly specific moment for ReadyToday's readers. The 2025/2026 Cyber Security Breaches Survey, published two days before the NCSC announcement, again put phishing at the top of the attack table - 38% of UK businesses and 25% of charities reported phishing incidents in the last year. The Cyber Essentials Danzell question set, which became mandatory on 27 April, now contains an explicit nudge towards passwordless authentication for the first time. And the cluster of M&S, Co-op and Harrods incidents we wrote about last week traced back, in the end, to a phone call to an outsourced helpdesk and a password reset on a third-party account. Three of the most discussed UK cyber stories of the past fortnight all converge on the same conclusion: passwords are the soft underbelly, and they are about to stop being the default in official guidance.
So what should a school, a charity or a smaller business actually do with that, when the budget for cybersecurity is "what's left after teaching assistants and the boiler"? Less than you might think, and probably more usefully than you expect.
What the NCSC actually said
The April announcement is two documents in one. The first is a public-facing position: where a service offers passkeys, the NCSC now recommends that individuals use them in preference to a password, and that businesses offer them as the default authentication option for their customers. The second is a technical paper aimed at security and IT teams that walks through the FIDO2 model, the threat resistance properties of passkeys, and the conditions under which passkeys are safe to deploy. The headline claim of the technical paper is that passkeys are at least as secure as the strongest password paired with two-step verification, and meaningfully more secure in the most common attack scenarios.
The "more secure in the common case" part is the bit worth paying attention to. A passkey is a public/private key pair generated on the user's device. The private key never leaves the device and is never sent over the network during sign-in. That single property closes off the attacks that drive most breach reports: phishing pages cannot collect a credential that is never typed; credential-stuffing botnets cannot replay a password that does not exist; data-broker leaks of breached passwords are useless against an account that does not have one. The remaining attacks - device theft, malware on the endpoint, social engineering of helpdesk staff - are real, but they are also a much smaller universe than "the user's password is somewhere on the internet".
The NCSC also included some data on user experience that matters for any organisation that has to support its staff or members. Sign-in with a passkey is, on average, several times faster than typing a username, password and one-time code, and the success rate on first attempt is materially higher than with passwords plus 2SV. For a stretched school office or a charity helpdesk that fields password reset calls every Monday morning, that is a real number.
Why this matters for the typical UK SMB, charity or school
If you held Cyber Essentials Danzell in mind while reading the announcement, you will have noticed the alignment. The Danzell question set, mandatory since 27 April, treats failure to enable MFA on cloud services where it is available as an automatic fail, and the user-access section explicitly highlights passkeys as a stronger alternative to passwords. Until now it has been possible to read that as a future-tense suggestion. The NCSC's April note effectively reads it as the present.
The 2025/2026 Cyber Security Breaches Survey tells us why both moves arrived at the same time. Phishing has been the most common attack type in every year the survey has run. The 2025/2026 numbers also showed AI-assisted phishing rising while the share of organisations giving staff anti-phishing training stays under one in five. The training gap is a real problem, but it is also a problem with diminishing returns. Once the lures are personalised, in fluent English, and indistinguishable from the real thing, even well-trained staff will click. The most reliable defence is to make the credential itself impossible to phish - which is what a passkey does.
Then there is the supplier-and-helpdesk lesson from the M&S retrospective. The intrusion succeeded because a password could be reset over the phone. A passkey cannot be reset to "the new one I'll just tell you over the phone" - device-bound passkeys require physical possession of the device, and synced passkeys are recovered through a vendor account that has its own MFA. That removes one of the cheapest entry routes into a network in 2026.
The "but" list - what to be honest about
None of this means everyone should mass-roll-out passkeys next week. A few realities are worth naming.
Not every line-of-business application supports passkeys yet. School MIS systems, smaller charity CRMs and some legacy finance tools are still password-only. Microsoft Entra ID, Google Workspace and Apple's Managed Apple IDs all now have mature passkey workflows, but the back-office tooling underneath is uneven. The right strategy for most organisations is not "switch everything", it is "switch the identity provider and the highest-risk apps first, then chase the long tail".
Account recovery is the bit that breaks pilots. If your only passkey lives on a phone that ends up in a school field trip lake, you need a clear, rehearsed recovery path. The NCSC's guidance is reasonably explicit that organisations should plan for at least two passkeys per user (a primary and a backup, ideally on different devices or platforms) and document a recovery process that does not collapse back into "phone the helpdesk and ask for a password reset" - which is what got us into this conversation in the first place.
Cost is real but small. For most SMBs, charities and schools the change is configuration in services they already pay for, plus a modest hardware key spend for the most privileged accounts. The big number is staff time - communications, support, the inevitable "but I always typed my password" friction in the first month.
A 90-day action list
If you want to take the NCSC at its word without overcommitting, here is a sequence that fits the average UK smaller-organisation calendar.
First, in the next two weeks, turn on passkey support in your identity provider. For Microsoft 365 that is the Entra ID passkey settings; for Google Workspace it is the Admin console authentication policy. You do not have to make passkeys mandatory yet - just allow them and make them the recommended option in your sign-in screen.
Second, in the next four weeks, enrol your highest-risk accounts on passkeys with a hardware backup. That means anyone with global admin, finance approval, or access to pupil, donor or customer personal data. These are also exactly the accounts a Scattered-Spider-style attacker phones the helpdesk about, and they are the ones the Cyber Essentials Danzell rules are most aggressive about.
Third, in the next eight weeks, write a one-page user-facing guide for the rest of staff explaining what a passkey is, how to set one up on the devices they actually use, and what to do if they lose a device. Put it next to the helpdesk reset policy you already wrote after the M&S story broke. The two documents should reference each other.
Fourth, in the next twelve weeks, retire the password as a primary login route on at least one tier-one service - typically email or the identity provider - and require passkeys plus a single backup method. This is the step that materially closes the phishing gap, and it is the step that most pilots quietly skip because nobody wants to be the one who locks the head teacher out of email at half-term. Plan it, communicate it, do it.
Finally, walk this whole exercise back through your supplier list. Any third party with a privileged account in your environment should be using a passkey to access it - and if they are not, your contract should commit them to a date by which they will be. This is the single follow-up most organisations missed after the supply-chain conversation last year.
The honest summary
The NCSC has not invented passkeys, and it has not declared passwords illegal. What it has done is move the centre of gravity of UK official advice. For the next year, every Cyber Essentials assessor, every cyber insurance underwriter, and every IT auditor in the country will be reading from the same hymn sheet: passkeys are the default; passwords are the legacy thing you have to justify keeping. Smaller organisations that move first will find themselves quietly aligned with the next round of compliance requirements, with a measurably smaller phishing surface, and with one fewer thing to reset over the phone.
If you want a hand walking your identity stack, your supplier list and your highest-risk accounts through this transition, our cybersecurity resilience service is built around exactly this kind of work, and a discovery call is the fastest way to start.