A user name/password system is difficult to manage because there’s no meaningful way to expire keys. If you feel your password has been compromised, you will have to change the password in every consuming system after you change it with the provider. During the period between the time you change it with the provider and you change it with a consumer, the consumer will be broken.
This can be mitigated by enabling both sets temporarily, but this doesn’t work for immediate scenarios like a breach.
