To spend coins from given address, you need its corresponding private key. They can demonstrate that, the way they generate these addresses, they can't know the private keys. Or possibly matching private keys might not exist at all. In that case, as an analogy, think of unix account with disabled password, the password hash in /etc/shadow is "!". There is no password which has a hash "!". So effectively it is impossible to log in with password.