← Back to Blog

Beyond Passwords: What a Modern Identity Stack Looks Like for Small Businesses

Alexandros Fotiadis
security identity passkeys smb iam
Beyond Passwords: What a Modern Identity Stack Looks Like for Small Businesses

If you run a company with five to fifty people, your identity stack is probably still “passwords plus a password manager, with SMS codes on the important stuff.” That was acceptable in 2021. In 2026 it is the single largest unpriced risk sitting on your balance sheet.

The good news is that the tools to fix it are cheap, mature, and mostly interoperable. You can put a defensible identity stack in place this quarter without hiring a security team. Here is what it looks like and how to roll it out.

What a modern stack includes

Think of identity as five layers. Each one should be explicitly decided.

1. Authentication: passkeys as the default

Passkeys — FIDO2 credentials stored on your device or in your password manager — are phishing-resistant by design. Google, Microsoft, Apple, GitHub, and most serious SaaS now support them. Where you cannot use passkeys, use TOTP authenticator apps. SMS is no longer a second factor you should accept on anything that matters.

2. Hardware keys for admins

Anyone with admin rights to your identity provider, your cloud, your DNS, your git host, or your banking gets a hardware key. Two each (primary and backup), registered at enrolment, stored in different physical locations. YubiKey 5 series, Feitian, or Token2 — pick one vendor and standardise. Budget: €50–80 per key.

3. An identity provider (IdP) with SSO

One place where identities live, one place where access is granted and revoked. For SMBs the realistic options are Google Workspace, Microsoft Entra ID, or a dedicated IdP like JumpCloud or Okta Workforce. Cost sits between €6 and €15 per user per month for the tier you actually need. The ROI is not a feature — it is that offboarding takes thirty seconds instead of two days of forgotten accounts.

4. Callback protocols for human-in-the-loop decisions

No technology stops a finance clerk from wiring money to a fake IBAN if the process allows it. You need written rules:

  • Any change of payment destination is verified by callback on a pre-recorded number.
  • Any unusual payment request by voice is verified by a code word.
  • Any “urgent, confidential” request routed around normal process is treated as suspicious by default.

This is a one-page document, printed and signed. It is also the cheapest control on this list.

5. Device trust

Laptops and phones that access company data should be known to the IdP, encrypted at rest, and patched. For Apple fleets, this is one MDM licence per device (€3–8/month). For mixed fleets, something like Kandji, Jamf, or the device management in Google/Microsoft works. The goal is simple: if a device is lost, you can revoke its access without touching it.

A phased rollout

You do not need to do all of this at once. In fact you shouldn’t — changes to authentication have a habit of locking people out at exactly the wrong moment.

Phase 1 — Week 1: inventory and cleanup

  • List every SaaS account the company uses. Yes, all of them.
  • Identify which are tied to personal emails, shared passwords, or former employees.
  • Delete what is not used. Consolidate what is.

This phase is unglamorous and almost always finds at least one account no one remembered existed.

Phase 2 — Weeks 2–3: IdP and SSO

  • Stand up your chosen IdP.
  • Connect the top ten most-used SaaS via SSO.
  • Migrate the rest to “login with Google/Microsoft” where SSO is not available.
  • Decommission standalone accounts as you go.

Phase 3 — Weeks 4–5: passkeys and MFA upgrade

  • Enable passkeys on the IdP and top SaaS.
  • Disable SMS as a second factor everywhere it is offered.
  • Issue hardware keys to admins and enrol two per person.

Phase 4 — Weeks 6–8: device trust and process

  • Enrol laptops and phones in MDM.
  • Write and sign the callback / code-word document.
  • Run the first phishing and voice-fraud drill.

By the end of eight weeks a five-to-fifty-person company is in a materially better place than ninety per cent of its peers.

Cost brackets (rough, 2026 EU pricing)

For a 20-person company, expect roughly:

  • IdP + SSO: €2,400–€3,600 per year.
  • Hardware keys (2 × 5 admins): €500–€800 one-off.
  • MDM for 20 devices: €720–€2,000 per year.
  • Rollout effort: 40–80 hours, internal or external.

Total year-one outlay lands around €5,000–€8,000. Compare that to a single successful wire-fraud attempt, which in our client base in 2025 ranged from €8,000 to €180,000.

The checklist

Print this, tick it off, keep it visible:

  • IdP live with all staff provisioned
  • Top 10 SaaS on SSO
  • Passkeys enabled on IdP + email + git + cloud + banking
  • SMS 2FA disabled everywhere possible
  • Hardware keys issued to every admin, two each
  • MDM active on all company devices
  • Written callback + code-word protocol, signed
  • One drill in the first 90 days
  • Offboarding test: can you lock out a leaver in under five minutes?

Where we come in

Most of this is work you can do yourselves. Where we help is in the cutover weeks — migrating SaaS to SSO, wiring passkey enforcement into your IdP, writing the callback policy in a form people actually follow, and running the first honest drill. If you want a second set of hands or a pair of eyes, let’s talk.