i believe you may be right. it's good malicious social engineering defence. however, the passwords (even if rotated) would be vulnerable due to disgruntled workers. maybe something like a secret validation code stored offline that needs to be simultaneously authenticated by multiple parties but is not visible to the sender or recipient.