Tuesday morning. You open LinkedIn and see the same headline from four different sources. "Passwords Are Dead." Your phone pings. The managing director has forwarded one of the articles with three words: "Are we exposed?"
You are now the IT person.
Most of the coverage of this week's NCSC announcement is overstating what actually changed. The detail almost everyone has missed is the one that matters most to your business.
What the NCSC Actually Said
At CYBERUK 2026 in Glasgow, the UK government's flagship cyber security conference, the National Cyber Security Centre published new guidance overturning decades of conventional advice. Passkeys, the cryptographic login method already supported by Google, Apple, Microsoft, eBay and PayPal, are now the recommended way to log in wherever a service supports them.
This is significant. Passkeys cannot be phished, reused or stolen in the same way passwords can. They are the most meaningful upgrade to everyday authentication in a generation.
But there is a sentence buried in the coverage that almost no one has highlighted.
The NCSC has not yet extended this recommendation to business applications.
That is not a footnote. That is the whole story.
- At CYBERUK 2026 the NCSC named passkeys the preferred login method for consumers
- Passkeys are resistant to phishing, reuse and credential theft in a way passwords never were
- The same guidance has not been extended to business applications, and that gap is the real story
Why Business Was Left Out
The NCSC is not being slow. It is being precise.
Your personal phone is a tidy environment. One person, one device, one set of accounts. A business is the opposite. Shared mailboxes. Third-party portals you log into for clients. Line-of-business software written before passkeys existed. Contractors with temporary access. Joiners, leavers, and the inevitable spreadsheet someone built in 2017 that the entire finance team still logs into.
The gap between consumer guidance and business reality is exactly where authentication projects go wrong. It is also where an IT provider focused on licence revenue will happily sell you something you are not ready to deploy.
The honest answer is that the right move for your business this month is not the same as the right move for your phone. Anyone telling you otherwise is not paying attention.
- Consumer accounts are simple. Business environments layer shared mailboxes, third-party portals, legacy apps and rotating contractor access on top
- Passkey rollouts break when they are forced on that complexity without a plan
- The right move for your phone is not the right move for your business this month
What To Do This Week
1. Get yourself and your team onto a password manager. This week.
This is the practical bridge between the world we are leaving and the one the NCSC just pointed to.
I use Bitwarden at home. My wife uses it. My children use it. None of them are technical, and none of them have ever asked me how it works. It sits quietly in the browser, fills the right password into the right box, and gets out of the way. The free version is genuinely free.
Here is the part most people miss. Modern password managers, Bitwarden included, now store passkeys alongside passwords. Whatever your team adopts today is the same tool that will hold tomorrow's passkeys. No second migration. One habit, future-proofed.
Tell your staff to install it on their personal devices first. Personal email is a common attack route into business systems, and the perimeter you cannot see is the one that bites you. This is exactly the sort of habit that security awareness training is designed to build, quietly and without drama.
2. Ask your IT provider for a passkey readiness audit.
Three questions. Which of our business systems support passkeys today. Which do not. Which of the ones that do not are critical to operations.
If your provider cannot answer this within a week, that itself is the answer.
3. Do not roll anything out across the business yet.
The right sequence is audit, plan, pilot, deploy. Anyone telling you to flip the switch on Monday is selling you a problem they will later bill you to fix.
- Step one: adopt a reputable password manager across the team this week. It is the bridge, and the same tool will hold your passkeys later
- Step two: ask your IT provider to audit which of your business systems support passkeys today and which do not
- Step three: do not flip any switches yet. The correct sequence is audit, plan, pilot, deploy
The Question Most Owners Are Not Asking
The interesting question is not "should we move to passkeys?"
It is: who in our supply chain is rushing this and creating new risks for us?
Your accountant. Your legal counsel. Your construction subcontractors. The marketing agency holding your customer list. If any of them get this transition wrong, the impact lands in your inbox, not theirs.
This is why a broader cybersecurity posture matters more than any single control. A clean internal rollout will not save you from a supplier who stored their admin passkey on a personal device that has since been lost.
- Your biggest passkey risk may not be inside your business at all
- Third parties holding your data, accountants, lawyers, agencies, subcontractors, are all rushing the same transition
- A supplier's mistake lands in your inbox, not theirs. Ask them the same questions you would ask yourself
A Leadership Moment, Not a Tooling Moment
The firms that handle this announcement well over the next twelve months will not be the ones that move fastest. They will be the ones that move in the right order.
Audit before action. Foundations before features. People before products.
If you would like a clear, plain-English passkey readiness audit for your business, that is exactly the kind of work we do as part of our IT consulting engagements. One short conversation, no licence pitch.
Has your IT provider mentioned the NCSC announcement to you yet? If not, why not?
If you would like an honest read on where your business actually stands on authentication, book a short call. No sales pitch. No jargon. A straight answer to a question that is about to matter a lot more than most business owners realise.
