The NCSC's Formal Endorsement
The UK's National Cyber Security Centre (NCSC) has formally recommended passkeys as the primary authentication method for consumers and urged enterprises to offer them by default. Announced at CYBERUK 2026 in Glasgow, the guidance states that passkeys should replace passwords wherever a service supports them, with two-step verification (2SV) recommended only where passkeys are not yet available. 1National Cyber Security Centre (NCSC): Passkeys are more secure than traditional ways to log in
The NCSC described the move as "overhauling decades of security practice." 2BBC: UK cyber chiefs say it's time to ditch passwords for passkeys It is the first time a major national cybersecurity authority has unequivocally positioned passkeys ahead of all traditional multi-factor authentication (MFA) methods - including SMS codes, authenticator app OTPs, and hardware token-generated codes - in its official consumer guidance.
The Technical Assessment
The endorsement is not a marketing decision. The NCSC published a technical paper at CYBERUK comparing the security properties of traditional MFA and FIDO2 credentials across the full credential lifecycle - creation, storage, use, synchronization, revocation, and recovery. 1National Cyber Security Centre (NCSC): Passkeys are more secure than traditional ways to log in
The paper's central finding: all traditional MFA methods, including passwords combined with SMS codes, email codes, time-based one-time passwords (TOTP), and push approvals, are "inherently phishable." 1National Cyber Security Centre (NCSC): Passkeys are more secure than traditional ways to log in By contrast, FIDO2 credentials including passkeys were assessed as "as secure or more secure than traditional MFA against all common credential attacks observed in the wild." 1National Cyber Security Centre (NCSC): Passkeys are more secure than traditional ways to log in
The NCSC specifically noted that because FIDO2 removes the ability to cheaply reuse or relay credentials, large-scale attacks directly targeting correctly implemented passkeys are "unlikely." 1National Cyber Security Centre (NCSC): Passkeys are more secure than traditional ways to log in This economic argument matters: even if individual device compromise remains theoretically possible, the cost per credential is orders of magnitude higher than mass phishing campaigns that target passwords.
Microsoft's Entra Rollout Adds Enterprise Momentum
The same week, Microsoft began rolling out passkey authentication for Microsoft Entra-protected resources on Windows devices. The rollout, starting in late April 2026 with general availability expected by mid-June, extends phishing-resistant passwordless sign-in to unmanaged personal and shared PCs - not just corporate-joined machines. 3Microsoft to roll out Entra passkeys on Windows in late April
This is a significant expansion. Previous Entra passkey support required devices to be Entra-joined or registered, limiting its reach to managed corporate endpoints. The new rollout brings device-bound passkeys via Windows Hello to any Windows device accessing Entra-protected resources, controlled through Authentication Methods policies and Conditional Access. 3Microsoft to roll out Entra passkeys on Windows in late April
For enterprises, the practical effect is immediate: administrators who have not explicitly configured their passkey policies may find the feature enabled by default as the rollout completes. Microsoft has stated that no action is needed unless organizations want to block the capability. 3Microsoft to roll out Entra passkeys on Windows in late April
What This Means for Enterprises
The NCSC's guidance is directed primarily at consumer-facing services but carries clear implications for enterprise security leaders. The agency explicitly told organizations to offer passkeys as the default login option for customers. 4Offer customers passkeys by default, UK's NCSC tells enterprises
Forrester senior analyst Madelein van der Hout framed the shift as architectural rather than incremental: "This is a fundamental architectural change, not an incremental authentication upgrade. It moves organizations beyond the passwords-plus-MFA paradigm toward a phishing-resistant foundation." 4Offer customers passkeys by default, UK's NCSC tells enterprises
However, both the NCSC and independent analysts flag adoption challenges. Legacy systems, fragmented identity environments, and the need to secure fallback mechanisms such as password resets and account recovery flows remain significant obstacles. 4Offer customers passkeys by default, UK's NCSC tells enterprises The NCSC cautioned that weaker processes around account recovery can reintroduce the very risks that passkeys eliminate - a point that security architects should not overlook during implementation.
Van der Hout also noted a blind spot: "Any passkey strategy that ignores the machine identity layer will create new security gaps," referencing the growing role of non-human identities in enterprise environments. 4Offer customers passkeys by default, UK's NCSC tells enterprises
The Hybrid Reality
A complete elimination of passwords is not imminent. The NCSC acknowledged that passkeys are not yet universally supported and recommended maintaining password managers and 2SV as fallbacks. 2BBC: UK cyber chiefs say it's time to ditch passwords for passkeys Analysts expect a hybrid model - passkeys as the primary method with password fallbacks - to persist for several years. 4Offer customers passkeys by default, UK's NCSC tells enterprises
This hybrid period introduces its own risks. Organizations must ensure that supporting both authentication methods does not create a lowest-common-denominator effect, where attackers simply target the weaker password path. Conditional Access policies that enforce passkey use where supported, while restricting password-only access to legacy contexts, will be a critical control during the transition.
Looking Forward
The NCSC's endorsement and Microsoft's simultaneous rollout mark a coordination - intentional or not - between government guidance and platform defaults that accelerates the timeline for passwordless authentication. With over 4 billion passkeys already in active use worldwide 5FIDO Alliance Passkey Index and prior NullSec reporting and the FIDO Alliance's reported 93% sign-in success rate for passkeys versus 63% for passwords 5FIDO Alliance Passkey Index and prior NullSec reporting, the performance and security data now align with the policy signal.
For security teams, the action items are concrete: audit which services support passkeys and enable them, review Entra ID authentication policies before Microsoft's rollout reaches your tenant, and critically evaluate account recovery flows that may undermine passkey security. The password is not dead yet - but its demotion from default to fallback is now government policy.
Bild: Brett Jordan / Unsplash
