The most secure password is the one that doesn't exist: this is how Zerolynx's dealer portal works

There is an uncomfortable truth in cybersecurity that we have been repeating for years in every talk, every report, and every audit: the password is the weakest link in any system. It is reused, written on a sticky note, leaked in any breach of any service that has nothing to do with yours, and from there it circulates through forums where it is bought and sold for cents.

That's why, at Zerolynx, we have done the most logical thing we could do with our own distributor portal: we have eliminated passwords. We haven't made them more robust, we haven't forced renewals every 90 days, we haven't asked for uppercase letters, numbers, and an emoji. We have removed them. And we sleep much better.

The real problem with passwords

The outlook is not encouraging. The vast majority of incidents we investigate for clients start in the same place: a leaked, reused, or phished credential. And even if you, as a distributor, do everything right, you are still exposed to three risks that you do not control:

• Credentials leaked by third parties. If your email and password appear in a dump from any other service, attackers automatically try them on thousands of portals. This is known as credential stuffing.
• Targeted phishing. A cloned page, a well-written email, and a moment of haste. The password is gone.
• Infostealer malware. Families like RedLine, Vidar, or Lumma specialize precisely in this: emptying the browser's password store and selling them on underground markets.

Against this, the best defense is not a longer password. It is to have no password at all.

What we have put in its place: passwordless authentication

The technical term is passwordless authentication, and within that family, there are several variants. We use the simplest and most widespread one currently in B2B commerce: one-time codes sent to your email (what is technically called an OTP, One-Time Password). The flow, so you have it clear, is this:

1. You enter our distributor portal and enter your email.
2. You receive a 6-digit numeric code in your email.
3. You enter it on the website.
4. You are in. No password to remember, no password to lose, no password to leak.

The code expires after a few minutes and is only valid for that session. If someone were to intercept it later, it would be useless to them.

And is this really more secure?

Yes, and for specific reasons:

• There is no permanent secret to steal. There is no password stored in your head, in your browser, or in our database. What does not exist cannot be leaked.
• Each session requires real access to your email. Security control is transferred to the channel you already protect most carefully: your corporate email account, presumably with its own second factor.
• Reuse is eliminated. It no longer matters if you recycle the same password on five different sites: here you don't use it on any.
• Phishing is much less profitable. A 6-digit code that expires in minutes is a very short-lived trophy for an attacker.

What this asks of you in return

A security decision is never free, and here the change is important: your email account becomes the center of gravity of access. That's why we recommend, if you don't already have it:

• Activating two-factor authentication (2FA) on your professional email. Ideally with an authentication app or a physical key, not via SMS.
• Keeping your systems updated and periodically reviewing active sessions in your inbox.
• Notifying us as soon as possible of any departure or change of people with access to the portal, to revoke the corresponding registration.

Where this is going

The passwordless movement is not a peculiarity of ours. Apple, Google, Microsoft, Amazon, and almost all the big players are pushing the industry towards the elimination of passwords, either through OTP, magic links, or, increasingly, passkeys based on cryptography and device biometrics. The direction is clear, and we want to align with it, not as a trend, but because the data shows it: passwordless models drastically reduce the success of the most common attacks.

If you are a Zerolynx distributor and haven't yet logged in to the portal with the new flow, try it. It takes less time than remembering the password you set two years ago. And if you have any questions, write to us: that's what we're here for.

At Zerolynx, we have been protecting companies from digital risks for years. Starting with our own house seemed like the least we could do.