NCSC pushes passkeys, MFA rules

The UK’s National Cyber Security Centre said on April 23 that people should use passkeys instead of passwords wherever services offer them. (ncsc.gov.uk) The agency said passkeys are “at least as secure as, and generally more secure than” the strongest password paired with two-step verification. It released that finding on day two of the CYBERUK conference in Glasgow. (ncsc.gov.uk) A passkey is a login credential stored on a device such as a phone or laptop, then unlocked with Face ID, a fingerprint or a PIN. The NCSC said that makes passkeys resistant to phishing because they cannot be intercepted and reused like passwords. (ncsc.gov.uk) The NCSC said passkey logins can be up to eight times faster than signing in with a username, password and two-step code. Google data cited by the agency said just over 50% of active Google services users in the UK already have a passkey registered. (ncsc.gov.uk 1) (ncsc.gov.uk 2) The push on identity checks lands alongside tougher Cyber Essentials rules for organisations seeking the UK-backed security certification. IASME said accounts created after April 26, 2026 must fail automatically if cloud services offer multi-factor authentication and the applicant has not turned it on. (iasme.co.uk 1) (iasme.co.uk 2) IASME said the April 2026 changes also tighten marking on other “critical practices,” including timely security updates across the full assessment scope. The scheme’s five technical controls did not change, but the scoring and assessment operation did. (iasme.co.uk) Remote work still sits inside that scope. IASME’s guidance says anyone working from home for any amount of time counts as a home worker, and the devices they use for business are in scope for Cyber Essentials. (iasme.co.uk) Home routers are treated differently. IASME’s Knowledge Hub says a home router is not in scope unless the organisation supplied it, but applicants still need to understand and control firewalls on in-scope equipment. (ce-knowledge-hub.iasme.co.uk) The NCSC is pairing those account and device rules with warnings about disruption attacks. In January it said Russian-aligned hacktivist groups, including NoName057(16), had carried out frequent distributed denial-of-service attempts against UK local government and urged operators to harden their defences. (ncsc.gov.uk) On April 23, the same day it backed passkeys, the NCSC also joined the United States, Germany, Japan and other partners in an advisory on China-linked “covert networks” built from compromised routers and internet-connected devices. The advisory said Volt Typhoon used such infrastructure to pre-position capabilities on critical national infrastructure. (ncsc.gov.uk) The combined message is that weak logins and exposed edge devices are still basic entry points. The UK’s cyber agency is now telling consumers to move to passkeys and telling organisations that skipping multi-factor authentication can cost them certification. (ncsc.gov.uk) (iasme.co.uk)