Notifications
Clear all
Topic starter
04/06/2026 6:43 pm
TL;DR: Passwordless onboarding can still start with a plaintext temporary credential if organisations use a password to bootstrap passkey registration, leaving the weakest credential in inboxes and help-desk workflows, according to ConductorOne. The real governance issue is not passkey UX, but whether joiner processes can eliminate the interim secret entirely.
NHIMG editorial — based on content published by ConductorOne: Your Passwordless Rollout Has a Password in It
Questions worth separating out
Q: How should security teams bootstrap passwordless onboarding for new employees?
A: Security teams should use an ephemeral enrollment credential that exists only long enough for the user to register a durable method such as a passkey or device-bound authenticator.
Q: Why do passwordless rollouts still fail when organisations use temporary access passes?
A: They fail when the temporary pass is treated like a short-term password instead of a controlled enrollment bridge.
Q: What do security teams get wrong about first-day access for new hires?
A: They often focus on the authentication method and ignore the handoff between HR, IT, and the identity provider.
Practitioner guidance
- Remove password-shaped bootstrap steps from onboarding Map every joiner workflow and delete any step that generates, displays, or reads out a human-usable password before passkey enrollment is complete.
- Constrain delivery paths for first-access credentials Review whether TAP or any equivalent enrollment secret can be sent through email, shared verbally, or forwarded to a manager.
- Align HRIS, IdP, and help desk workflows Treat the HR joiner event, identity creation, and credential enrollment as one governed lifecycle process.
What's in the full article
ConductorOne's full blog covers the operational detail this post intentionally leaves for the source:
- Step-by-step workflow logic for generating a unique UPN and issuing TAP during joiner automation
- The sample Entra ID and Graph API sequence used to create the user, issue the pass, and hand it off
- The exact email handoff pattern for delivering TAP to the user, manager, or IT team
- The Workday write-back pattern that syncs the final work email after enrollment
👉 Read ConductorOne's post on passwordless onboarding with Temporary Access Pass →
Passwordless onboarding: what happens to the first credential?
Explore further
04/06/2026 6:54 pm
Day-one passwordless onboarding is really a lifecycle problem, not an authentication problem. The article shows that the hardest part is getting a new hire from HR existence to enrolled passkey without introducing a reusable secret. That shifts the control plane from login mechanics to joiner orchestration, where delivery paths, identity proofing, and enrollment timing all matter. Practitioners should treat the onboarding sequence itself as the security boundary.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
A question worth separating out:
Q: How do you know if passwordless onboarding is actually working?
A: It is working when new hires can complete initial enrollment without receiving a reusable secret, without calling the help desk for a password, and without exceptions that extend beyond first use. If onboarding still depends on an inbox-delivered code or password, the programme has not fully removed the legacy control model.
👉 Read our full editorial: Passwordless user onboarding still hides a day-one password risk
