Phishing prevention is one outcome, but it describes only one of the three credential claim types MyCena addresses. The full scope is: phishing and social engineering (~44% of credential incidents), shared and stolen credentials (~28%), and inactive account access (~29%).

Phishing fails because the credential is never typed — the phishing page has no target. Sharing fails because the user never sees the credential — there is nothing to copy, forward, or sell. Inactive account access fails because the organisation revokes every credential in seconds when someone leaves — there is nothing left active for an attacker to find.

These are not three separate features. They are three consequences of the same architectural decision: the organisation generates and controls the credential rather than the user.