Passwordless user onboarding still hides a day-one password risk

At a glance

What this is: This is a blog post about using Temporary Access Pass to bootstrap passwordless onboarding, with the key finding that many enterprises still introduce a password-shaped interim credential on day one.

Why it matters: It matters because identity teams have to govern the transition from joiner workflow to credential enrollment without reintroducing a phishable secret into human IAM and lifecycle processes.

👉 Read ConductorOne's post on passwordless onboarding with Temporary Access Pass

Context

Passwordless onboarding is supposed to remove the most exposed credential in the joiner flow, but many enterprises still create a temporary secret to get a new user into the system. That makes the problem less about authentication technology and more about whether lifecycle automation can deliver a first credential without falling back to a password pattern.

For IAM teams, the governance question is whether the first day of access can be built around ephemeral enrollment, not inbox-delivered secrets. The article uses Entra ID Temporary Access Pass as the example, but the operational issue is broader across human identity onboarding, help desk design, and lifecycle automation.

Key questions

Q: How should security teams bootstrap passwordless onboarding for new employees?

A: Security teams should use an ephemeral enrollment credential that exists only long enough for the user to register a durable method such as a passkey or device-bound authenticator. The onboarding path should be triggered by joiner lifecycle events, restricted to first-use enrollment, and designed so no reusable password is ever delivered to the user.

Q: Why do passwordless rollouts still fail when organisations use temporary access passes?

A: They fail when the temporary pass is treated like a short-term password instead of a controlled enrollment bridge. If the pass is emailed, shared verbally, or left valid too long, the organisation recreates the same exposure passwordless was meant to remove. The control must be the joiner workflow, not the login prompt.

Q: What do security teams get wrong about first-day access for new hires?

A: They often focus on the authentication method and ignore the handoff between HR, IT, and the identity provider. The real failure is allowing a human-readable secret to travel through onboarding steps before the user has enrolled a durable credential. That keeps the organisation dependent on weak bootstrap behaviour.

Q: How do you know if passwordless onboarding is actually working?

A: It is working when new hires can complete initial enrollment without receiving a reusable secret, without calling the help desk for a password, and without exceptions that extend beyond first use. If onboarding still depends on an inbox-delivered code or password, the programme has not fully removed the legacy control model.

Technical breakdown

How Temporary Access Pass bootstraps passwordless enrollment

Temporary Access Pass, or TAP, is a time-bounded credential issued by the identity provider so a new user can authenticate once and register a stronger method such as a passkey, Windows Hello, or an authenticator app. It is not meant to be a standing password. The important mechanism is that the pass exists only to bridge initial identity proofing to device-bound authentication, then becomes invalid. That changes the onboarding model from reusable secret management to short-lived enrollment control. The security value depends on strict lifetime, limited use, and safe delivery.

Practical implication: treat TAP as an enrollment bridge, not as a temporary password substitute.

Why inbox-delivered secrets recreate the password problem

The weakness in many onboarding flows is not the identity platform, but the delivery path. If a temporary secret is sent over email or read aloud on a call, the organisation has recreated the same exposure that passwordless was meant to remove. The attack surface now includes mailbox compromise, social engineering, and accidental disclosure before the user has enrolled a durable credential. This is a lifecycle failure, not an authentication feature gap. The risk exists during the handoff between HRIS-triggered provisioning and first-time enrollment.

Practical implication: remove any onboarding step that depends on a human-readable secret crossing email or voice channels.

How lifecycle automation supports first-day passkey readiness

The architecture described in the post ties HRIS joiner events to identity provisioning, temporary access issuance, and delivery workflows. That means the onboarding sequence can be automated end to end, with unique user creation, TAP issuance, and follow-up updates back to the HR system. The key design point is that the organisation is not managing a static password lifecycle at all. It is managing an ephemeral enrollment transaction that ends once the user registers a device-bound credential. The control boundary is therefore the joiner workflow, not the login screen.

Practical implication: align HR-triggered provisioning, passcode issuance, and passkey enrollment as one controlled joiner workflow.

Breaches seen in the wild

• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
• Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Day-one passwordless onboarding is really a lifecycle problem, not an authentication problem. The article shows that the hardest part is getting a new hire from HR existence to enrolled passkey without introducing a reusable secret. That shifts the control plane from login mechanics to joiner orchestration, where delivery paths, identity proofing, and enrollment timing all matter. Practitioners should treat the onboarding sequence itself as the security boundary.

Temporary Access Pass is a better bridge than a password, but it still exposes a governance assumption. The assumption is that a short-lived enrollment credential can safely exist outside the user’s durable authentication state. That holds only if the pass is tightly scoped, rapidly consumed, and never repurposed as a standing recovery path. The implication is that teams must distinguish enrollment bridges from backup access, because those are not the same control.

Passwordless programmes fail when organisations preserve the old secret-delivery habit inside a new flow. The article makes clear that reading passwords aloud, sending them by email, or asking help desks to distribute them recreates the very risk passwordless is supposed to retire. That is not a technical limitation of passkeys. It is a governance failure in how first access is handed to the user. Practitioners should rethink onboarding design, not just credential type.

Credential lifecycle governance now starts before the first login, not after it. Once TAP-style enrollment is available, the relevant question becomes whether the identity programme can eliminate temporary secrets from human workflows entirely. The help desk, HRIS, and IdP must be treated as one joiner chain. The practical conclusion is that passwordless maturity is measured by the absence of fallback secrets in onboarding, not by passkey support alone.

From our research:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• For adjacent governance depth, the Top 10 NHI Issues resource helps teams connect onboarding controls to broader lifecycle and privilege management.

What this signals

Passwordless maturity will be judged by the disappearance of bootstrap secrets. As organisations move from passwords to passkeys, the real test is whether the joiner flow still depends on a temporary string that can be forwarded, read aloud, or reused. If so, the programme has modernised the login surface without changing the underlying trust model.

This is also where lifecycle governance becomes measurable. Teams should be able to show that the HR-triggered joiner path, identity creation, and first credential enrollment happen as one controlled sequence, with no manual password detour and no exception trail that outlives first login.

For practitioners

• Remove password-shaped bootstrap steps from onboarding Map every joiner workflow and delete any step that generates, displays, or reads out a human-usable password before passkey enrollment is complete. If a temporary access mechanism is required, keep it time-bounded and tied only to first-time credential registration.
• Constrain delivery paths for first-access credentials Review whether TAP or any equivalent enrollment secret can be sent through email, shared verbally, or forwarded to a manager. Prefer controlled delivery that limits exposure before enrollment and does not create an inbox-based secret trail.
• Align HRIS, IdP, and help desk workflows Treat the HR joiner event, identity creation, and credential enrollment as one governed lifecycle process. The objective is to ensure the user can register a durable credential without a manual ticket or a temporary password exception.
• Measure passwordless maturity by secret elimination Track whether new hires ever receive a reusable secret during onboarding. If the answer is yes, the programme is still operating with a password-era assumption even if passkeys are supported.

Key takeaways

• Passwordless onboarding can still inherit password-era risk if the first credential is a reusable secret.
• The operational problem is the joiner workflow, not the passkey itself, because the exposure happens before durable enrollment.
• Identity teams should measure success by eliminating bootstrap secrets from day-one access, not by adding another temporary credential.

Key terms

• Temporary Access Pass: A Temporary Access Pass is a short-lived credential used to let a new user sign in once and enroll a stronger authenticator. In practice, it is an enrollment bridge, not a standing password. Its security value depends on tight expiry, limited use, and removal from the user journey after registration.
• Passwordless Onboarding: Passwordless onboarding is the process of giving a new user their first usable credential without issuing a reusable password. It combines identity proofing, lifecycle provisioning, and authenticator enrollment so the user ends up on a durable method such as a passkey, not a shared or inbox-delivered secret.
• Joiner Workflow: A joiner workflow is the identity lifecycle sequence that starts when a new worker or account is created and ends when access is usable. For passwordless programmes, it must coordinate HR, the identity provider, and delivery steps so the first credential is ephemeral and enrollment-focused.

Deepen your knowledge

Passwordless onboarding, lifecycle orchestration, and first-credential governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are redesigning joiner flows to remove bootstrap secrets, it is worth exploring.

This post draws on content published by ConductorOne: Your Passwordless Rollout Has a Password in It. Read the original.