The end of passwords? What the NCSC’s new guidance means for your business

This week, the National Cyber Security Centre (NCSC) made headlines by officially recommending that people ditch traditional passwords in favour of passkeys, calling it an overhaul of “decades of security practice.”

What is a passkey and why do I need one?

A passkey is a smarter, harder-to-steal replacement for a password. Instead of you creating and remembering a code, your device generates a secure cryptographic key pair. One part lives on your device, the other sits with the service you’re logging into. To verify it’s really you, it uses something you already do every day - scanning your fingerprint, your face, or entering a PIN.

Key difference: With a password, a shared secret is exchanged, and that secret can be intercepted or guessed. With a passkey, no secret is ever shared. That makes phishing attacks, credential stuffing and brute force hacks far less effective.

Platforms like Apple, Google, and the UK Government’s own digital services already support passkeys. The technology now works across all major operating systems and browsers, meaning adoption is no longer the barrier it once was.

Why should this matter to your business?

Rising data breaches, reused passwords, and phishing attacks are among the top causes of business cyber incidents. The NCSC’s guidance is for both individuals and businesses, it’s a signal that the security landscape is shifting, and businesses that don’t move with it face increasing risk.

That said, passkeys aren’t a silver bullet. Not every platform supports them yet, and there are practical considerations, such as what happens if an employee loses their device. A well-thought-out rollout, combined with the right policies, is essential.

How to get started

1. Audit your current login practices. Do your teams reuse passwords? Are password managers in place? Understanding where you are today is the first step.
2. Enable multi-factor authentication (MFA) now. If passkeys aren’t yet supported by your key platforms, MFA remains your strongest layer of defence.
3. Plan your passkey transition. Identify which services support passkeys, build a rollout plan, and train your team, so adoption is smooth, not chaotic.
4. Review your device loss & recovery policies. Since passkeys are tied to devices, having clear procedures for lost or replaced devices is essential.

Not sure where your business stands?

The PKF Infuse IT and cyber security team helps businesses assess their current security posture, implement practical solutions and stay one step ahead of evolving threats. Whenever you're ready, we're here to guide you.

Get in touch today to see how we can help.