Why shared secrets (aren’t really secrets) are incompatible with modern trust and why verified credentials are the replacement.

There’s a sentence we’ve all heard in security for years: “Treat passwords like secrets.”

That advice made sense in an era where most systems were local, most users sat behind corporate networks, and “identity” meant a directory entry plus a static login prompt.

But a secret only works if it stays secret.

And that’s the foundational problem with passwords in modern organisations: they can’t stay secret. They’re created, transmitted, stored, reset, recovered, synced, typed, phished, replayed, guessed, brute-forced, stolen from logs, captured by infostealers, or extracted from breaches. At scale, password-based identity isn’t a control. It’s an operational tax and a persistent significant exposure.

If we’re being honest, the modern workforce doesn’t have a password problem, it has a trust model problem.

The uncomfortable truth: passwords are a broken primitive

Passwords are “knowledge-based authentication”, created in the 1950’s. They ask a user to prove identity by knowing something. Knowledge is inherently transferable. It can be learned, shared, coerced, intercepted, or replayed.

That’s not an implementation flaw, it’s a design flaw.

And we see the consequences in the data: credential abuse is consistently a leading pathway into systems and breaches. The Verizon 2025 Data Breach Investigations Report (DBIR) points to the continued prevalence of stolen credentials across major attack patterns, including basic web application attacks where stolen credentials show up heavily.

Meanwhile, Mandiant’s M-Trends 2025 highlights how stolen credentials remain a common initial access vector, reflecting the industrialisation of credential theft through infostealers and access brokers.

This is not about “bad password hygiene.” It’s about a weak trust mechanism being asked to carry the weight of modern risk.

“But we have MFA or Passkeys” isn’t the win people think it is

MFA improves security over passwords alone and Passkeys are secure credentials. This does not eliminate the core issue: passwords remain the root credential, and the surrounding recovery and onboarding processes still rely on human and procedural weak points.

Push-based MFA introduced a new class of attacks: fatigue/prompt bombing. CISA has published guidance highlighting these dynamics and recommending phishing-resistant approaches.

Passkeys although in principle are better are stil generated from the weakest link a password.

Attackers don’t need to beat your controls if they can exploit your processes:

• convince a helpdesk to reset a password
• capture a password via phishing or infostealer malware
• trigger repeated MFA prompts until someone accepts
• hijack onboarding flows while a new employee is confused and time-pressured

In other words, if identity starts with a shared secret, the system will always have a “reset and recovery” shadow IT process that attackers can manipulate.

Onboarding is where Zero Trust often starts too late

Most organisations tell a Zero Trust story like this:

• strong policies
• conditional access
• device posture checks
• privileged controls
• logging and monitoring

All good, but workforce access usually begins with:

1. create an account
2. assign initial permissions
3. issue a username/password or temporary secret
4. let the user enroll MFA or create a Passkey
5. attempt to tighten policy later

This sequence contains the most dangerous assumption in workforce security:

If an account exists in IAM, the person behind it must be legitimate.

That assumption is precisely what attackers exploit. And it’s why the earliest steps, joiner flows, contractor onboarding, first-time access, recovery are repeatedly targeted.

The solution is not “more onboarding steps” or “harder passwords”, it’s to replace secrets with proof.

Modern identity is proof-based, not knowledge-based

The direction of modern identity standards is clear: move toward phishing-resistant, cryptographic authenticators that prove possession of a key, not knowledge of a secret.

NIST’s updated digital identity guidance (SP 800-63B-4) describes higher assurance authentication in terms of cryptographic proof of possession and phishing resistance, and highlights requirements that align strongly with modern public-key authenticators.

In plain terms: the system should verify that a user controls a cryptographic authenticator, not that they can type a secret.

This is the same foundational model behind the industry push toward passkeys and FIDO-based authentication. The FIDO Alliance describes passkeys as replacing passwords with cryptographic key pairs, delivering phishing resistance and improved user experience.

Passkey do matter and why they’re still only part of the story

Passkeys are a massive step forward. They remove the “shared secret” as the primary factor and reduce phishing and credential replay risk.

But workforce onboarding still has a bigger question to answer:

Who is this person, really before we issue access?

Authentication proves a returning user controls a device-bound (or synced) key. But onboarding is where organisations must establish identity in the first place. That’s the gap between “strong login” and “trusted workforce identity.”

And that’s why Verified Credentials (VCs) matter.

Verified Credentials: proof of claims, not passwords

Verifiable Credentials are a W3C standard for tamper-evident credentials that can be cryptographically verified. They are designed to prove claims about an entity (like employment status, role, certification, eligibility) in a way that is verifiable and resistant to tampering.

The W3C’s supporting work on data integrity mechanisms further describes how cryptographic proofs support authenticity and integrity for credentials and related documents.

This is the key conceptual shift:

• Passwords prove “I know a secret.”
• Passkeys prove “I control a private key.” (weakened by Password lead generation)
• Verified Credentials prove “These claims about me were issued by a trusted party and can be cryptographically verified.”

In workforce terms, VCs can represent high-value assertions like:

• “This person is a legitimate employee/contractor.”
• “This person is cleared for a certain role or system.”
• “This identity was proofed to a given assurance level.”
• “This access entitlement is valid, current, and revocable.”

Now onboarding becomes a trust decision based on proof, not a procedural guess backed by shared secrets.

Temporary Access Passes are a bridge, not a destination

Most enterprises still need a transitional mechanism while they modernise. Temporary Access Passes (TAP) are one such tool: Microsoft describes TAP as a time-limited passcode that can be used to sign in and onboard passwordless authentication methods, and it is commonly used for bootstrapping and recovery scenarios.

TAP reduces the need to distribute long-lived passwords, but it is still a temporary secret. It helps, but it doesn’t change the trust model.

The modern architecture uses TAP (or equivalent) as an on-ramp:

1. bootstrap the initial session safely
2. verify the person to a defined assurance level
3. issue proof-based credentials (passkeys + verified credentials)
4. stop distributing secrets entirely

The end state is simple: no passwords, no password resets, no password recovery loops.

The attack economy is already telling us what to fix

Credential theft is not an edge case. It’s an economy.

• Infostealers harvest credentials at scale.
• Access brokers resell “valid logins.”
• Threat actors use “legitimate access” to evade detection.
• Social engineering targets the people and processes around access.

Mandiant’s reporting reflects how credential theft has become a significant driver of intrusions. Verizon’s reporting repeatedly reinforces the scale of credential-related intrusion paths.

If identity is your primary control plane, then a password-based identity plane is a structural weakness.

The UX truth: passwords are hostile and expensive

Password-based onboarding is a terrible first impression:

• Day 1 confusion and lockouts
• “Set a complex password you’ll never use again”
• MFA enrolment friction
• support tickets before productivity begins

Security teams often accept this friction as “the cost of control,” but in reality it’s the cost of an outdated trust model.

When you remove passwords, you don’t just improve security; you remove operational waste:

• fewer tickets
• fewer resets
• fewer exceptions
• fewer manual workflows
• the ability to self serve

And, crucially, you reduce the blast radius of human error and social engineering in onboarding and recovery processes.

The business case: remove an entire class of failure

When a system relies on shared secrets, it must also maintain:

• reset and recovery channels
• identity verification scripts for helpdesks
• exception handling for devices and logins
• compensating controls that try to patch human processes

This is why passwordless is more than a security “upgrade.” It’s operational simplification.

A modern trust model has three properties:

1. Proof over secrets (cryptographic possession, phishing resistance)
2. Claims that can be verified (VCs, integrity, issuer authenticity)
3. A bridge strategy that avoids long-lived passwords (TAP used only for bootstrapping)

The position to take today.

A shared secret is not a secret.

A password-based onboarding flow cannot deliver modern trust, because it begins by distributing something that can be copied, replayed, and abused. The more your workforce expands contractors, partners, distributed team, the more that weakness scales.

So the position isn’t “passwords are imperfect.” It’s: Passwords shouldn’t and don’t need to exist in a modern digital landscape.

The replacement is proof-based identity:

• verified credentials for cryptographic, verifiable claims about the person
• passkeys for phishing-resistant authentication genrated by a verified credential
• temporary bridges like TAP via verified credentials only as a controlled on-ramp, not a dependency

What this means for workforce onboarding

A modern workforce onboarding experience should look like this:

1. Verify the person (strong identity proofing aligned to risk)
2. Issue verifiable claims (verified credentials)
3. Issue proof-based identity (passkeys)
4. Grant access by policy (least privilege, context-aware)
5. Eliminate secrets (no password distribution, no reset loops)

This is the difference between “managing credentials” and “deciding trust.”

And that’s the point: Modern identity doesn’t manage passwords. It removes them.

References

• Cybersecurity and Infrastructure Security Agency. (2022). Implementing phishing-resistant MFA (Fact sheet).
• Microsoft. (2026, February 16). Configure Temporary Access Pass to register passwordless authentication methods (Microsoft Entra ID).
• Microsoft. (2025, December 7). Authentication methods in Microsoft Entra ID (overview).
• National Institute of Standards and Technology. (2025). NIST Special Publication 800-63B-4: Digital Identity Guidelines—Authentication and lifecycle management.
• FIDO Alliance. (2024, August 29). Replacing password-only authentication with passkeys in the enterprise (White paper).
• FIDO Alliance. (n.d.). Passkeys: Passwordless authentication.
• Verizon. (2025). 2025 Data Breach Investigations Report (DBIR).
• Mandiant. (2025). M-Trends 2025.
• World Wide Web Consortium. (2025, May 15). Verifiable Credentials Data Model v2.0.
• World Wide Web Consortium. (n.d.). Verifiable Credentials data integrity 1.0.