The Real Reason Passwordless Security Stalls in SMBs
Published on May 7, 2026
Question: What operational challenges keep SMBs tied to password-based security despite wider access to MFA and passwordless tools?
Robb Reck, Chief Information, Trust, and Security Officer at Pax8
The tools are available. For many SMBs, MFA is already included in the Microsoft or Google licenses they're paying for. So why are passwords still the dominant control?
The honest answer is operational drag.
Most SMBs are running a mix of applications that weren't built with modern authentication in mind. Legacy software, industry-specific tools, older SaaS products. Getting MFA working across all of it isn't hard, but it takes time and someone who knows what they're doing. That person usually isn't on the SMB's payroll.
Identity sprawl makes it worse. Shared accounts, former employees who still have access, personal Microsoft accounts mixed in with business ones. Before you can enforce anything, you have to know what you're enforcing it on. That inventory work doesn't happen on its own.
And then there's the human side. MFA rollouts that aren't managed well create help desk pressure fast. One bad lockout experience and the business owner is asking to turn it off. Without someone to drive adoption and absorb the support load, deployments stall.
Passkeys have a similar problem. The technology works, but device management, account recovery, and user education all have to be planned for. For a business without dedicated IT staff, that's not a small ask.
What SMBs are really missing is execution capacity. Not budget, not access to tools, not awareness. The time and expertise to implement, manage, and maintain modern authentication across a messy, real-world environment.
That's the case for MSPs. Not as a vendor pitch, but as a practical answer to a real operational gap.”
Related
