Most UK business owners have heard the advice: use strong passwords, enable two-factor authentication, do not reuse credentials. Good advice. But the landscape has shifted considerably over the last few years, and the terminology has multiplied with it. Passkeys, TOTP, magic links, hardware tokens – if you have found yourself nodding along while quietly wondering what any of it actually means, this post is for you.
Authentication – the process of proving you are who you say you are – is one of the most consequential areas of business security. Get it right, and you create a genuinely difficult barrier for attackers. Get it wrong, and a single compromised credential can unravel everything from your email to your financial systems. Understanding the options is the first step to making sensible decisions.
This is not a post about which product to buy. It is a guide to understanding what each method actually does, where it is strong, and where it falls short.
What Is Authentication and Why Does It Matter
Before we get into the types, it is worth being clear on what authentication is trying to achieve. When you log into a system, that system needs to be confident that you are a legitimate user and not someone pretending to be you.
Security professionals typically talk about three categories of proof. Something you know – a password, a PIN, the answer to a security question. Something you have – a phone, a physical device, a smart card. And something you are – a fingerprint, your face, your voice. The most robust systems use more than one of these categories together, which is the principle behind multi-factor authentication (MFA).
Understanding which category each method falls into helps you assess how well it will actually protect your accounts.
Passwords
A password is a secret string of characters – letters, numbers, symbols – that only you and the system you are logging into should know. It sits firmly in the “something you know” category.
Passwords are the oldest and most widely understood form of digital authentication, and they remain the most common. They are also the most frequently abused, reused, and poorly chosen. The average person reuses a password across multiple accounts, uses something guessable (names, dates, “Password1”), or writes it on a sticky note on their monitor.
The weaknesses of passwords are well-documented. They can be stolen via phishing, exposed in data breaches, guessed by automated tools, or simply shared carelessly. A password alone is never sufficient protection for anything that matters.
Good password practice means using a unique, long, complex password for every account – something a password manager handles automatically. But even a perfect password offers no protection if a system it is stored in gets breached and that data is leaked or sold.
Passcode
A passcode is functionally similar to a password but typically refers to a shorter, usually numeric sequence – the four or six-digit PIN you use to unlock your phone, for instance, or to confirm a payment on a card reader.
Passcodes are common on mobile devices and point-of-sale systems. They are quicker to enter than full passwords but considerably less complex, which means they are more vulnerable to guessing – especially if someone observes you entering it. The security of a passcode relies heavily on the lockout policies of the system it protects, such as locking after too many incorrect attempts.
Passkey
Passkeys are the most significant shift in authentication in a generation, and they deserve more explanation than most people have received.
A passkey is a cryptographic credential – a mathematical key pair – that is generated and stored on your device. When you register a passkey with a website or application, two keys are created: a public key that the service stores, and a private key that never leaves your device. When you log in, the service challenges your device to prove it holds the matching private key, and your device does so without ever transmitting the key itself.
From a user perspective, logging in with a passkey typically means unlocking your device – using your fingerprint, Face ID, or device PIN – and the login happens automatically. No password to type, no code to look up.
The security advantage is substantial. Because the private key never leaves your device and nothing is transmitted that could be intercepted, passkeys are highly resistant to phishing. Even if someone tricks you into visiting a fake website, there is no password to steal. Passkeys are backed by the FIDO2 standard and are supported by major platforms including Microsoft, Apple, and Google.
For UK businesses, passkeys represent the direction of travel. They are not universally supported everywhere yet, but adoption is accelerating across the tools most businesses rely on daily.
TOTP – Time-Based One-Time Password
TOTP stands for Time-Based One-Time Password. It is the six-digit code generated by apps like Microsoft Authenticator or Google Authenticator that changes every 30 seconds.
When you set up TOTP on an account, the service and your authenticator app share a secret key. Both use the same algorithm to calculate what the current code should be based on the time. Because the code is only valid for 30 seconds and changes constantly, an attacker who intercepts it has a very narrow window – and even then, they would need your password too.
TOTP falls into the “something you have” category because it requires access to the device running the authenticator app. It is a significant improvement over SMS-based codes because it does not rely on your mobile network and cannot be intercepted via SIM-swapping attacks.
For most UK SMBs using Microsoft 365, TOTP through an authenticator app is the minimum standard that should be in place for every user account.
SMS Code – One-Time Passcode via Text
Many systems send a one-time code via text message to your registered mobile number. You enter this code alongside your password to complete the login.
This is better than a password alone, but it is the weakest form of second-factor authentication available. SMS codes can be intercepted through SIM-swapping – where an attacker convinces your mobile network to transfer your number to a SIM card they control – or through vulnerabilities in the SS7 protocol, which underlies the global mobile network.
SMS codes are also susceptible to real-time phishing, where an attacker creates a fake login page, captures your password and code as you enter them, and uses both immediately on the real site before the code expires.
If SMS is the only second-factor option a service offers, use it – it is still better than nothing. But where authenticator apps or hardware keys are available, they should be preferred.
Magic Link
A magic link is a time-limited, single-use URL sent to your email address. Clicking it logs you into the service without requiring a password at all. You have almost certainly received these from services like Notion, Slack, or various SaaS platforms.
The logic is straightforward: if you control the email account, you should be able to access services linked to it. It removes the need to remember passwords entirely.
The weakness is that magic links shift the security burden onto your email account. If someone else can access your email – whether through a compromised password or a phishing attack – they can use magic links to access everything tied to that address. Magic links are also only as secure as the email delivery channel, which is not end-to-end encrypted by default.
Magic links work well for lower-risk consumer applications. For business systems handling sensitive data, they are generally not the right choice as a standalone mechanism.
Hardware Token
A hardware token is a physical device that generates or stores authentication credentials. The most common type you will encounter is a USB security key – a small device you plug into your computer or tap to your phone via NFC to confirm a login.
Hardware tokens are among the strongest authentication methods available. The private key is generated inside the device and physically cannot be extracted. Logging in requires the device to be physically present, which makes remote attacks essentially impossible. A criminal who has stolen your password cannot use it without also having the physical key in their possession.
Hardware tokens support the same FIDO2 standard as passkeys, which is why they are sometimes described as the physical equivalent. They are commonly recommended for high-value accounts – system administrators, finance teams, senior executives – where the consequences of a compromised login would be severe.
The practical limitation is cost and management. Each user needs at least one token, ideally two as a backup in case one is lost or damaged, and the organisation needs processes for issuing and recovering them. For most roles within an SMB, a well-managed authenticator app is a sensible and more practical alternative. For privileged accounts, hardware tokens are worth serious consideration.
Biometric Authentication
Biometrics use physical characteristics to verify identity – fingerprints, facial recognition, iris scans, and in some specialised systems, voice patterns. They fall into the “something you are” category.
You almost certainly use biometrics daily without thinking of them as authentication: unlocking your phone with your thumb, approving a payment with Face ID, or accessing a laptop with Windows Hello.
In most consumer and business contexts, biometrics do not replace passwords – they unlock the system or device that then handles the actual authentication. Your fingerprint unlocks your phone, and your phone then authenticates you to a passkey or TOTP app. The biometric is a convenient and secure gate to your credentials, not a standalone login system in most cases.
Biometrics are highly resistant to remote attacks because they require physical presence. The practical concerns are different: biometric data cannot be changed if it is compromised (you cannot reset your fingerprint the way you reset a password), and organisations handling biometric data face significant GDPR obligations around how it is stored and processed.
Security Questions
It would be incomplete not to mention security questions – “What was your first pet’s name?”, “What street did you grow up on?” – because many systems still use them for account recovery.
Security questions are not a second authentication factor. They are an additional piece of information that, in most cases, can be found through a combination of social media research and educated guessing. They offer a false sense of security. If a system you use still relies on them, treat your answers as additional passwords – make them up, store them in a password manager, and use something that bears no relationship to the actual question asked.
How These Methods Work Together
The most secure accounts do not rely on any single method. They layer multiple factors from different categories. A typical strong setup for a business system might be a passkey or strong password combined with a TOTP authenticator app, with a hardware token required for privileged or administrative access.
This is the principle of defence in depth. An attacker would need to defeat multiple independent barriers – stealing your password is not enough if they also need physical access to your authenticator device, and vice versa.
The combination you choose should reflect the sensitivity of what you are protecting. Not every system needs hardware tokens, but every system used in a business context should require at least two factors.
How AOIT Networks Approaches Authentication for Our Partners
When AOIT Networks manages IT for a business, authentication standards are part of the baseline from day one. For Microsoft 365 environments, that means enforcing multi-factor authentication across every account – not leaving it as an optional setting that individuals can choose to bypass.
We help partners identify which accounts carry the highest risk and where stronger controls are warranted, whether that is hardware tokens for administrative access or Conditional Access policies that assess the risk of each login attempt before allowing it. Getting this right does not require significant complexity or expense – it requires a clear picture of what you have, what is protected, and what is not.
Is Your Business Currently Meeting the Standard?
Cyber Essentials – the UK government-backed certification scheme – requires MFA for cloud-based services and remote access. If your business is not currently enforcing at least two-factor authentication across your Microsoft 365 accounts, email, and any external-facing systems, you are below the minimum threshold that both best practice and many cyber insurance policies now expect.
The good news is that getting there is not a lengthy project. In most cases, the tools are already in place – it is a matter of configuration and rollout.
If you are not certain whether your current authentication setup meets Cyber Essentials requirements, or want to understand where your exposure sits, AOIT Networks can work through your Microsoft 365 tenant and identity configuration with you and give you a clear picture of what needs to change.