A one-time secret is a practical way to transfer sensitive information without leaving the readable value inside a permanent message. It is designed for information that the recipient needs briefly—such as a password, PIN, recovery code, private note or access token.
CyberRiskEvaluator combines encrypted storage, a protected access token, a separate decryption passkey and browser-side decryption. Limited access and expiration reduce unnecessary persistence while the underlying encryption protects the content itself.
Use a limited-access link for information that should not remain permanently visible in email or chat.
Create a Secure SecretThe defining idea is limited retrieval. A normal message can be reopened indefinitely; a one-time or tightly limited secret is intended to become unavailable after the permitted access or after a short expiration period.
Technical implementations differ. Some systems destroy the record immediately after the first successful retrieval. Others invalidate the link after access, after a fixed time or after both conditions. The security objective is the same: reduce the period during which the secret can be obtained.
A one-time secret is less suitable for information that several recipients must repeatedly retrieve. In that case, use an approved vault with access control, audit logs and credential lifecycle management.
One-time access controls availability; encryption protects confidentiality. A record that is deleted after opening can still be exposed if it was stored or transmitted in plaintext before deletion.
CyberRiskEvaluator encrypts the secret with AES-256-GCM. The encryption key is derived from the passkey using PBKDF2-HMAC-SHA-256 and a random salt. The recipient enters the passkey in the browser, which performs the decryption locally.
This layered model protects the content before access and limits access afterward.
Sending the passkey in the same email as the link defeats the separation of channels. Choosing a weak passkey makes encrypted records more vulnerable to guessing. Setting an unnecessarily long expiration recreates the persistence problem the one-time link was meant to reduce.
Another mistake is treating link destruction as proof that the recipient did not copy the value. Once revealed on an endpoint, the recipient can copy, photograph or store it. Use one-time secrets only with authorized recipients and apply least privilege to the underlying credential.
A password manager or enterprise vault stores and governs credentials over time. A one-time secret transfers a value from sender to recipient. The two controls complement each other: transfer the initial credential securely, then store it in the approved vault.
For high-risk accounts, combine the transfer with multifactor authentication, forced password change, short-lived privileges and monitoring of the first login.
That depends on the implementation and policy. The safest model invalidates access after the permitted retrieval or when the expiration time is reached.
No. Limited access and encryption are separate controls. A secure implementation should encrypt the content before storage and transport it only over HTTPS.
Passwords, recovery codes, temporary tokens, PINs and confidential text are common examples, provided the recipient is authorized.
Use the shortest period that fits the business process. A few hours is often preferable to several days for urgent credential transfer.
Yes. One-time access limits retrieval from the service, but it cannot prevent an authorized recipient from copying information after decryption.
Protect passwords, files and confidential text with encrypted links, a separate passkey and browser-side decryption.
Start Secure SharingContent reviewed on 14 July 2026. Security requirements should be adapted to your organization’s risk, policy and regulatory obligations.