The implementation project has come to an end. The application is running, the infrastructure is configured, and the tests have been passed. It is time to hand over the access credentials to the client: for the admin panel, server, CMS system, and email inboxes.
The client does not have a perc.pass account. And they don’t need to.
An IT agency concludes an implementation
For three months, and implementation company carried out a project for a client in the manufacturing industry. At the end of the project, it must securely hand over a dozen sets of login credentials: access to servers, the hosting panel, the ERP system, the corporate mailbox, and the domain registry account.
What does this usually look like without the right tool? Passwords end up in a PDF file or an Excel sheet that is sent via email – often with the password to the file included in the very same message. Or they are pasted directly into the body of an email or a Teams message. Each of these methods creates a permanent, uncontrolled footprint: the message containing the password in plain text is archived on both parties’ mail servers, accessible from any device with access to the inbox, and impossible to “unsend” after transmission.
If the client’s mailbox is compromised a week after the passwords are handed over, the attacker gains access to all the systems that the implementation company painstakingly configured over three months.
How a one-tine link works in perc.pass
perc.pass makes it possible to hand over a password to someone without an account in the system via a one-time, encrypted link. The mechanism operates in three steps:
Step 1: Generating the link. The agency employee selects the specific access data and generates a one-time access link. At the stage, they define two security parameters:
- Link expiration time– the link expires a specified period (e.g., 1 or 24 hours), regardless of whether it was used. Once expired, it becomes inactive and does not lead to any data.
- Link access password – an optional but recommended additional security measure. The recipient must know the password for the link to work at all. The password is communicated via a separate channel, such as over the phone or via SMS.
Step 2: Sending the link. The link is sent to the client through any channel – email, Teams, or a messenger. Even if the message is intercepted, the link is useless without the access password, and if the password itself is compromised – the link will still expire after the defined time.
Step 3: Retrieval by the client. The client opens the link, enters the access password (if one was set), and views the transfered login data just once. Once the page is closed or refreshed, the link becomes inactive and cannot be used again.
Why it matters
No permanent footprint. A password handed over via a one-time link does not exist in the mailbox history, communicator history, or any other archive. Once the link expires, the login data is no longer accessible via this path – for anyone.
Control over exposure time. The agency decides how long the link remains active. If the client does not retrieve the access data within 24 hours – the link expires, and the agency generates a new one. The timeframe during which the password is potentially accessible via the link is strictly defined and controlled.
Proof of proactive management. The history of generated and used links is recorded in perc.pass. You can document when a link was generated, when it expired, and whether it was used – with no trace of the password in an uncontrolled communication channel. In the event of a later incident on the client’s side, the agency possesses documentation proving that the transfer of access credentials took place securely.
Handing over access credentials to a client who does not have a password manager account does not have to mean reverting to an email with a password in its body. A one-time, time-limited, and optionally password-protected link as a mechanism that eliminates a permament credential footprint in incontrolled channels – without any technical requirements on the client’s side.
The client does not need to install any application. They do not need to create an account. All they need to do is open the link and retrieve the data – once, securely, and without a trace.
If you want to check how one-time links work in practice – test perc.pass during a free TRIAL.