Skip to content

How to Solve the Secret Zero Problem with Akeyless

In this article, we’ll introduce Universal Identity, our proprietary authentication method that keeps organizations safe and productive by solving the secret zero problem for the modern enterprise with hybrid infrastructure. 

The secret zero problem

In 2020, 37 percent of credential theft breaches used stolen or weak credentials.* One particular area of credential vulnerability lies in the secret zero problem. 

With many different resources to access in an enterprise environment, DevOps and technology professionals store their credentials in secrets management vaults, key management systems, or hardware security modules (HSM). All of these require user authentication with a master token or secret, also known as secret zero. If secret zero becomes compromised, you’re rolling out a welcome mat to your infrastructure. 

Wherever secret zero is stored, there’s now a vulnerable point of entry for motivated attackers to find their way inside your virtual walls.

A solution: Universal Identity

At Akeyless, we’ve designed an authentication method called Universal Identity that sidesteps the secret zero problem. There are different solutions to this problem, but we think the best way is to eradicate secret zero entirely.

At a high level, Akeyless Universal Identity achieves this in two main ways:

  • First, by continually authenticating via temporary, rotating tokens
  • Second, by allowing machines to inherit authentication from a parent machine, creating an authentication tree

Instead of using secret zero for authentication, you can use Universal Identity to authenticate continuously via an auto-expiring token. 

How Universal Identity works

The first part of Universal Identity is the auto-rotation of tokens. To start, the user generates a one-time starter token with our CLI or Akeyless web console. When creating the token, the user can designate the time to live, or TTL. The TTL tells Akeyless when to generate a new token, which immediately invalidates the previous token. For example, if the TTL of the token is one minute, Akeyless generates a randomized token every minute to replace the expired one.

Being able to auto-rotate tokens means that secret zero only exists for a short time. In other systems, secret zero lasts forever, or until someone generates a new token to replace it.  

The second piece of Universal Identity lies in authentication inheritance, where a token inherits a set of permissions from its parent. In Akeyless, not only do child tokens inherit a subset of permissions from its parent token, they also auto-rotate. This eliminates the secret zero problem for the entire authentication tree, with little to no overhead. 


In summary, auto-rotating tokens means secret zero no longer holds all the power. With Akeyless, secret zero is ephemeral—and it doesn’t create a backdoor for hackers to come in and out of your infrastructure at their choosing. With token inheritance, this model resolves the secret zero problem at scale. 

To learn even more about Universal Identity, see our documentation.

Want to see how Universal Identity fits in your infrastructure? Book a custom demo with us today.

*Verizon Business 2020 Data Breach Investigations Report


See Akeyless in Action

Get a Demo certification folder key