Various embodiments of the present technology use a combination of static and rotating access credentials to access target devices. Some embodiments start with a multi-factor authentication (MFA) token that can be used to log into the platform head-end. If approved, a landing page requesting login credentials can be presented to the user. The user can provide a username and password via landing page and select a PAM or CASB target. The system then issues a secondary access credential (e.g., a pin/token) that is unknown to the user and is placed into a vault. A dynamic credential can be dynamically generated at each request. The target device can use the static access credential from the vault and the dynamic access credential for access to the device. As such, even if the vault is comprised, the target device would be inaccessible without the dynamic token which constantly changing.