Secure Employee Onboarding: How to Share Credentials Safely

The first week at a new job involves a flood of credentials: email account passwords, VPN configurations, database access, SaaS tool logins, WiFi passwords, building access codes, and more. How these credentials are shared during onboarding sets the tone for an organization's security posture.

Too often, onboarding looks like this: an IT admin sends an email with a list of usernames and passwords in plain text, or a manager posts credentials in a Slack DM. Both create permanent security liabilities. Here's a better way.

The Onboarding Credential Problem

New employees need access to many systems quickly. This creates pressure to share credentials through the fastest channel available — usually email or chat. The problems with this:

• Credentials persist in email/chat forever — That welcome email with all the passwords is still in the inbox months later
• Initial passwords are rarely changed — If the onboarding email says "your password is Welcome123!", many people keep it
• No audit trail — There's no record of whether the new hire actually received and stored the credentials properly
• Forwarding risk — Onboarding emails get forwarded to personal accounts "for safekeeping"

A Secure Onboarding Credential Workflow

Step 1: Pre-Provision Accounts

Before the new hire's first day, create their accounts in all necessary systems with temporary passwords. Use your identity provider (Google Workspace, Microsoft Entra, Okta, Keycloak) for SSO wherever possible — fewer passwords to share means fewer opportunities for exposure.

Step 2: Share Credentials via Self-Destructing Links

For each credential the new hire needs, create a self-destructing encrypted link. Using Authly Send:

1. Paste the credential (username + temporary password)
2. Set expiration to 24 hours
3. Add a PIN for extra security
4. Send the link via email or your onboarding system
5. Share the PIN via a separate channel (e.g., SMS or a phone call)

The new hire opens the link, sees the credential, and the link self-destructs. Nothing persists in email.

Step 3: Require Immediate Password Changes

Configure all accounts to require a password change on first login. This ensures the temporary credential you shared becomes immediately obsolete. The new hire creates their own password and stores it in their password manager.

Step 4: Set Up Their Password Manager

The new hire's first IT task should be setting up the company password manager (1Password, Bitwarden, etc.). Once their vault is active, add them to the appropriate shared vaults for any ongoing shared credentials.

Step 5: Confirm and Clean Up

Verify the new hire has access to all required systems. Check that the self-destructing links have been consumed (Authly Send's dashboard shows this). Remove any temporary access that's no longer needed.

Onboarding Checklist: Credentials Security

1. Set up SSO/identity provider accounts first (reduces passwords needed)
2. Share each credential via a separate self-destructing encrypted link
3. Use PIN protection on links with a separate delivery channel for PINs
4. Set 24-hour expiration on all onboarding links
5. Require password change on first login for all accounts
6. Set up the new hire's password manager on day one
7. Add them to appropriate shared vaults in the password manager
8. Verify all links have been consumed and access is confirmed
9. Document which systems the employee has access to (for future offboarding)

What About Offboarding?

The flip side of onboarding is equally important. When an employee leaves:

• Rotate every shared credential they had access to
• Remove them from all shared vaults
• Disable their SSO account (which revokes access to all SSO-connected tools)
• Review any one-time links they may have created (check for unexpired secrets)

If you used self-destructing links for onboarding, there are no lingering credential emails to worry about — the links died long ago.

Start Secure Onboarding Today

Your next new hire deserves a secure start. Authly Send makes it easy to share onboarding credentials through encrypted, self-destructing links — with optional PIN protection and expiration control. No setup required, free to use, and takes seconds per credential.