Today's secure remote access tools create unnecessary friction. VPNs and privileged access management (PAM) platforms burden users—particularly engineers—by forcing them to abandon their natural workflows.
The remote access market is dominated by proprietary clients and web-based proxies. When developers need to SSH into a production server or query a database, they typically must:
Interrupt their work
Connect to a VPN
Authenticate through a web portal
Locate the target account (a requirement with many legacy PAM vendors)
Retrieve a password, copy it to clipboard, then paste it into their client—or rely on credential injection where the vendor supports it
Security gets enforced, but productivity suffers. This friction—the context switching required before performing actual work—is what we call the "portal tax." It's a hidden cost embedded in much of today's security infrastructure. It distracts users and, frankly, drives them toward workarounds that expose credentials.
At HashiCorp, we believe effective security should be invisible. Developers and other users shouldn't feel encumbered while working securely. We aim to make the secure path effortless, automated, and background-native. That's the philosophy behind HashiCorp Boundary: our modern secure remote access solution, sometimes called an "identity-aware proxy."
Boundary's defining capability is transparent sessions. It eliminates the need for users to remember resource IDs or ephemeral ports when connecting to targets. Developers can adopt Boundary without changing how they work. Combined with RDP and SSH credential injection for passwordless access, transparent sessions remove the portal tax entirely.
This article compares Boundary's native-tool workflow with the portal-first approach most vendors still deploy.
Boundary vs. typical PAM vendors: Technical differences
Most PAM vendors—whether established incumbents or newer entrants—rely on portal-centric workflows. Users must navigate to the tool to obtain access.
Boundary uses a native-tool workflow instead. Rather than forcing you to visit Boundary, transparent sessions operate silently in the background.
The technical distinction: When a developer or administrator installs the Boundary Client Agent, it functions as a local DNS resolver for designated domains. After authentication, when you type ssh production-web.corp in a terminal or open db-prod.corp in your browser, the client-agent running quietly in the background performs two actions:
Intercepts the DNS request for that protected alias
Automatically routes traffic through Boundary proxies
The proxies provide network access and route traffic to the target, establishing the connection. This happens instantly, without interrupting your workflow or requiring interaction with a separate portal.
No context switching. Once authenticated to Boundary, there's no repeated portal login or proprietary tool launch for each new session. You use your preferred native tools—VS Code, PuTTY, Windows RDP, or your terminal of choice.
True passwordless: The Vault synergy
Connectivity is only half the solution. The other half involves managing credentials—the "keys to the kingdom" for target resources. This is where the integration between Boundary and HashiCorp Vault delivers a competitive advantage that standalone access tools struggle to match.
In traditional workflows, even after access is granted, users often "check out" a password. They copy it to clipboard and paste it into their client. This creates credential exposure risk. When a user knows a password (or has it in clipboard history), that credential can be phished, written down, or reused.
Boundary leverages its deep Vault integration to enable truly passwordless access via credential injection.
Supporting both SSH and RDP credential injection, Boundary acts as a secure broker. When a user initiates a connection:
Transparent sessions intercepts the DNS request via the Boundary Client Agent
Boundary verifies user authentication and policy
Boundary requests a dynamic or static secret from Vault
Vault returns the secret to Boundary
Boundary injects the credential directly into the protocol stream
This differs fundamentally from a "password vault" where users view secrets. In Boundary, users never see the password. You gain the compliance benefits of:
High-entropy credentials
Frequent secret rotation
Single-click authentication
Here's how fast the process works from the developer's perspective:
Why this beats the "portal" approach
Many secure remote access and PAM tools are built around a "vault-first" mentality. You enter a web vault to "check out" access. It's like visiting a bank teller every time you need to buy coffee. Boundary is like tapping your credit card—the security checks happen, but in the most frictionless way possible.
An example scenario: The old way vs. the Boundary way
The old way:
09:00 a.m. Jane receives a ticket to debug a Linux server
09:05 a.m. She connects to the VPN
09:07 a.m. She logs into a web portal and searches for target account details
09:10 a.m. She selects the target and retrieves/copies the credentials
09:15 a.m. She opens her terminal/SSH client, pastes the IP and password
Risk: The password now exists in her clipboard history, and the time spent adds productivity overhead
The Boundary way:
09:00 a.m. Jane receives a ticket to debug a Linux server
09:01 a.m. She types
ssh alias.targetin her SSH tool of choiceResult: She's in. Boundary authenticated her session in the background and injected the credentials. Zero friction. Zero clipboard risk. Easier zero trust workflow
Some PAM providers offer credential injection, but Boundary's transparent sessions are the key to eliminating the portal tax and enabling teams to use a native-tool workflow.
The future of access is invisible
Enterprises don't need to choose between security and speed. With Boundary, organizations can make the secure path the fastest and easiest option for developers, mitigating one of IT's most common breach vectors: credential theft from the endpoint. When users don't have to fight their tools to accomplish work, organic adoption of the secure path becomes the norm—and it won't feel imposed.
See Boundary in action
Watch the transparent sessions demo video
Create a free HCP account and deploy HCP Boundary for your environment
View transparent sessions setup details in our documentation
Check out our tutorials on Boundary
Download the latest version of Boundary installer to try it yourself
