Why the weakest points in workforce identity are the ones most organisations don’t model, measure, or secure.

In Article 1, I made a clear claim: passwords should not exist in a modern digital landscape. Not because users are careless or controls are misconfigured, but because shared secrets are structurally incompatible with modern trust.

This article goes one level deeper. Because even organisations that accept “passwords are weak” often respond with the same defence: “Yes, but we have MFA, conditional access, and strong IAM controls.”

That response misunderstands where identity actually fails in the real world. Passwords rarely fail at the login screen. They fail before login and after login, in the parts of identity that sit outside the authentication prompt:

• onboarding
• recovery
• helpdesk
• exception handling
• temporary access

These are the places attackers target, because these are the places where trust is still negotiated by people and process, not cryptography.

The Illusion of a Secure Login

If you look only at a login screen, modern enterprise identity looks strong:

• MFA is enabled
• conditional access policies are enforced
• risky sign-ins are flagged
• device posture is evaluated

From a dashboard perspective, this looks like Zero Trust. But dashboards only show what happens after an identity has been accepted into the system.

The more important question is: How did that identity get there in the first place?

And that’s where most security models quietly break down.

The Shadow Identity System Nobody Models

Every organisation has two identity systems:

1. The formal one (IAM, MFA, conditional access)
2. The informal one (onboarding, recovery, helpdesk, HR handoffs)

The second system is rarely documented, audited, or threat modelled. Yet it is responsible for:

• issuing first access
• restoring lost access
• resolving lockouts
• bypassing controls “temporarily”
• handling exceptions under time pressure

Attackers don’t fight the first system; they exploit the second.

Onboarding: Where Trust Is Granted Too Early

Workforce onboarding is a trust decision masquerading as an IT process. In most organisations, onboarding follows a familiar pattern:

1. HR enters a new hire or contractor into an HR system
2. An account is provisioned in IAM
3. Initial permissions are assigned
4. A username and password (or temporary secret) is issued
5. MFA enrolment happens after first login

This flow contains a dangerous assumption: If HR initiated the process, the person must be legitimate. But HR systems do not verify identity cryptographically. They record intent, not proof and Attackers know this.

We increasingly see:

• fake contractors inserted into supply chains
• social engineering of recruiters or managers
• impersonation during early onboarding stages
• confusion exploited during first-day access

Once an account exists and credentials are issued, every downstream control assumes legitimacy. Zero Trust starts too late.

Recovery: The Quietest and Most Exploited Path

Password recovery is the most socially engineered identity process in any organisation. It must exist because passwords fail and recovery processes typically involve:

• identity questions
• HR confirmation
• manager approval
• helpdesk scripts
• email or SMS delivery

Each step introduces a human judgment call, and humans are precisely what attackers manipulate.

CISA has repeatedly warned that attackers exploit MFA reset and recovery processes, including social engineering service desks to issue new credentials or bypass controls. This is why phishing-resistant authentication is recommended — not just MFA layered on top of passwords .

Once recovery is compromised, the attacker doesn’t need to bypass controls, they are granted legitimate access.

MFA Fatigue Didn’t Break MFA, It Exposed the Model

Push-based MFA was designed to improve usability, and it also created a new attack surface. MFA fatigue (or “prompt bombing”) works because:

• the attacker already has the password
• the system still treats the password as the root credential
• the user is conditioned to approve prompts to get work done

CISA’s guidance explicitly calls out these attacks and recommends phishing-resistant MFA, not incremental MFA layers around passwords . This distinction matters and MFA fatigue is not a failure of MFA technology. It’s a failure of a system that still relies on a shared secret at its core.

Temporary Access Passes: Symptom and Signal

Temporary Access Passes (TAP) exist for a reason. Microsoft describes TAP as a time-limited passcode used to bootstrap passwordless authentication or recover access when other methods aren’t available . TAP is an acknowledgement of reality:

• passwords create lockouts
• recovery is risky
• onboarding needs a safer bootstrap

But password-based TAP is still a temporary secret. It improves experience and reduces exposure, but it does not change the underlying trust model. If TAP becomes the new “password replacement” rather than a bridge away from secrets, organisations simply relocate the same risk.

The signal TAP sends is important: Even the platform vendors recognise that passwords are no longer viable at the edges.

Why Attackers Love Identity Edges

Mandiant’s M-Trends 2025 report shows that stolen credentials remain a common initial access vector, reflecting the maturity of credential theft and resale markets .

Verizon’s 2025 DBIR reinforces this, highlighting the continued dominance of credential abuse in breach patterns across industries .

What’s consistent across these reports is not just that credentials are abused — but how:

• attackers seek legitimate access
• they blend into normal workflows
• they avoid triggering detection

Onboarding, recovery, and support processes are perfect targets because:

• urgency overrides scrutiny
• documentation is incomplete
• exceptions are expected
• trust is extended “temporarily”

And temporary trust has a habit of becoming permanent.

The Cost Nobody Attributes to Passwords

Password-related costs rarely show up as “password line items.”

They appear as:

• helpdesk tickets
• onboarding delays
• lost productivity
• incident response
• audit remediation
• compensating controls

Industry estimates regularly place the cost of a single password reset between tens of dollars and much higher when productivity loss is included. But the real cost is not just resets, it’s the fact that every reset is a trust re-negotiation, performed by humans under pressure.

The Structural Problem: Knowledge-Based Trust

All these failures share a common root: Passwords and their recovery flows rely on knowledge-based trust.

Knowledge:

• can be copied
• can be shared
• can be replayed
• can be coerced
• leaves no reliable proof trail

As long as identity depends on knowledge, the system must maintain:

• fallback paths
• human verification
• exceptions
• secrets distribution

And attackers will continue to exploit those paths.

What Changes When You Remove Secrets Entirely

When onboarding and recovery stop distributing secrets, several things happen immediately:

1. Recovery becomes rare: There is nothing to reset or recover.
2. Helpdesk attack surface collapses: Support no longer brokers access.
3. Onboarding becomes a proof event: Identity is verified, not assumed.
4. MFA fatigue disappears: There is no prompt to approve without proof.

This is why modern guidance increasingly points toward phishing-resistant, cryptographic authentication as the baseline. NIST’s updated digital identity guidance (SP 800-63B-4) emphasises authentication mechanisms that provide proof of possession and resistance to phishing, properties incompatible with shared secrets .

From Secrets to Proof: The Direction Is Clear

Across standards bodies, platform vendors, and incident response data, the direction is consistent:

• away from passwords
• away from recovery scripts
• away from shared secrets
• toward proof-based identity

Passkeys address authentication. Verified credentials address identity claims. Together, they remove the need for passwords at onboarding and recovery entirely.

The point is not that passwords are “bad.” It’s that they are obsolete.

The Question Organisations Must Now Ask

Not: “How do we secure passwords better?”

But: “Why do we still issue secrets at all?”

Every place a password or temporary secret exists, there is:

• a recovery path
• a human decision
• an exploitable edge

Modern identity removes the edge instead of defending it.

Where This Leads Next

In the next article, we’ll move from diagnosis to design.

We’ll show:

• what a proof-based workforce identity model actually looks like
• how passkeys and verified credentials work together
• how onboarding becomes a trust decision, not a credential task
• why this model scales better, costs less, and reduces risk structurally

Because once you see how proof-based identity works, it becomes very hard to justify keeping passwords anywhere in the flow.

References (APA 7)

Cybersecurity and Infrastructure Security Agency. (2022). Implementing phishing-resistant MFA (Fact sheet). https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf

Microsoft. (2026). Configure Temporary Access Pass to register passwordless authentication methods (Microsoft Entra ID). https://learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-temporary-access-pass

National Institute of Standards and Technology. (2025). Digital Identity Guidelines: Authentication and lifecycle management (SP 800-63B-4). https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63B-4.pdf

Verizon. (2025). 2025 Data Breach Investigations Report. https://www.verizon.com/business/resources/T16f/reports/2025-dbir-data-breach-investigations-report.pdf

Mandiant. (2025). M-Trends 2025. https://services.google.com/fh/files/misc/m-trends-2025-en.pdf