When a Hardware Key Beats a Synced Passkey
FIDO2 in two flavours: synced passkeys for the masses, hardware keys for the accounts that can take a business down. Here's where the line sits.
A YubiKey 5C Nano in 2026 looks redundant on first glance. We live in a passkey world now, and Apple, Google, and Microsoft handle that experience well enough that most users never need anything else. For consumer authentication, that’s a genuine win. For the accounts that underpin a business, it’s only half the answer.
What the NCSC actually said
In April 2026 the NCSC formally moved off password recommendations and told the public to choose passkeys wherever they are available. The supporting technical write-up groups passkeys and hardware tokens together as “FIDO2 credentials” - the same cryptographic primitive, just packaged differently. The NCSC also flags the obvious caveat: the security of a synced passkey is inherited from the strength of the account it syncs through.
That last line is the one that matters for businesses.
The dependency hidden inside synced passkeys
Synced passkeys carry a quiet dependency: the platform they live on. iCloud accounts, Google accounts, password managers. If any of those are compromised, the passkeys synced through them go too. That’s an acceptable trade-off for routine logins. It is not acceptable for the accounts that can take a business down in a single bad afternoon.
Hardware keys for high-value targets
A hardware key is the same FIDO2 credential the NCSC endorses, minus the sync. It sits outside the cloud dependency chain entirely. It can’t be phished, can’t be synced to a compromised device, and can’t be remotely wiped by an attacker who already owns a cloud account. For administrative consoles, infrastructure access, code signing, and SSH into production, a physical key remains the strongest second factor available.
The layered setup
The pragmatic split: passkeys for day-to-day logins, hardware keys for the things that matter. Cloud dashboards, domain registrars, Git signing, SSH to production. A 5C Nano lives permanently in a USB-C port - zero friction once configured. £70 buys a piece of physical metal that means a single compromised account can’t end a small consultancy or stall a fast-moving team.
Security works in layers, not single switches. Passkeys raised the floor. Hardware keys remain the ceiling. Match the layer to the value of the account.
If your team’s authentication setup hasn’t kept pace with the gap between consumer passkeys and admin-grade hardware factors, get in touch. We help small teams draw the line in the right place and harden the accounts that sit on the wrong side of it.