UK NCSC: passkeys & AI warning

The UK’s cyber defense agency says organizations should raise basic security now because frontier AI is making software flaws faster and cheaper to find. (ncsc.gov.uk) In a letter published on April 15, 2026, National Cyber Security Centre chief executive Richard Horne said AI will increasingly expose organizations that have not reduced attack surface, applied updates quickly, and improved monitoring and response. (ncsc.gov.uk) The agency paired that warning with a second shift on Thursday, April 23: it said passkeys should become the default sign-in option for consumers, and that users should choose passkeys wherever a service offers them. (ncsc.gov.uk) A passkey is a login stored on your phone or computer that unlocks with the same check you already use on the device, such as Face ID, a fingerprint, or a PIN. The NCSC said that setup blocks common phishing tricks because the credential cannot be intercepted, reused, or typed into a fake website the way a password can. (ncsc.gov.uk) At CYBERUK 2026 in Glasgow, the NCSC said passkeys are “at least as secure as, and generally more secure than” the strongest password paired with two-step verification. Its technical paper said all traditional multi-factor methods, including SMS codes, email codes, app-generated one-time codes, hardware tokens, and push approvals, remain phishable. (ncsc.gov.uk 1) (ncsc.gov.uk 2) That marks a change from 2025, when the NCSC said passkeys were the future but stopped short of a full endorsement because of implementation problems. On April 23, it said industry progress had cleared enough of those issues for passkeys to be recommended to the public and to businesses as the default authentication option to offer consumers. (ncsc.gov.uk 1) (ncsc.gov.uk 2) The AI warning is broader than logins. In a separate assessment covering now to 2027, the NCSC said AI will “almost certainly” make parts of cyber intrusion more effective and efficient, increase the frequency and intensity of threats, and widen the gap between systems that keep pace and those that do not. (ncsc.gov.uk) The agency also said frontier models are already showing results in tasks like identifying zero-day flaws in widely used software and solving cryptographic challenges. It said those gains can lower the skill, time, and cost needed for some attack steps, while also giving defenders tools to find and fix weaknesses earlier. (ncsc.gov.uk 1) (ncsc.gov.uk 2) For organizations planning new systems, the NCSC’s position points away from password-first designs. Its April 23 guidance said the agency will recommend passkeys wherever a service supports them, and two-step verification where passkeys are not yet available. (ncsc.gov.uk) The through line in both announcements is speed: AI is compressing the time attackers need to find weaknesses, and the NCSC is telling companies to compress the time it takes to patch, monitor, and move users off passwords. (ncsc.gov.uk) (ncsc.gov.uk)