Implementing Maximum Security with One-Time Links

Co je a Jednorázový odkaz?

A one-time link is a link that can only be accessed once. It expires immediately after the first access, so no one can access it again.

Regular Link vs Jednorázový odkaz

Regular Password-Protected Link:

Created: https://lock.pub/abc123
Access 1: ✅ Success (password entered)
Access 2: ✅ Success (same password)
Access 3: ✅ Success (can continue using)

One-Time Link:

Created: https://lock.pub/xyz789
Access 1: ✅ Success (password entered)
Access 2: ❌ Expired (link already used)
Access 3: ❌ Expired (permanently deleted)

Why Are One-Time Links More Secure?

1. Prevents Reuse Attacks

Scenario: Link Leak

9:00 AM - Send DB password link to team member
9:05 AM - Team member checks link and copies password
9:10 AM - Link automatically expires (one-time)
10:00 AM - Hacker compromises team member's account
10:05 AM - Find link in messenger history
10:06 AM - Attempt to access link: ❌ Already expired

With a regular link, the hacker could have accessed it, but with a one-time link, it's already expired and secure.

2. Prevents Forwarding

Scenario: Link Forwarding

Situation: Employee A receives password and forwards to Employee B without authorization

Regular link:
A accesses: ✅ Success
B accesses: ✅ Success (problem!)

One-time link:
A accesses: ✅ Success
B accesses: ❌ Expired

One-time links become invalid even if forwarded to unauthorized persons.

3. Neutralizes Screenshot Attacks

Even if someone takes a screenshot of the link, a used link is meaningless.

Kdy použít One-Time Links

1. Sdílení Very Sensitive Information

Financial Information:

Information: Corporate account password
Settings:
- Password: Strong 16-character password
- Expiration: 1 hour
- Access limit: Once only
- Note: For today's wire transfer, copy immediately after checking

Personal Information:

Information: Social security number, passport number, etc.
Settings:
- Expiration: 30 minutes
- Access limit: Once only
- Note: For document preparation, link will auto-delete after checking

2. Production Environment Access

DB Administrator Password:

Information:
- Host: prod-db.company.com
- Username: admin
- Password: [Very strong password]

Settings:
- Expiration: 2 hours
- Access limit: Once
- Note: For production DB emergency recovery

After checking once, it expires immediately, so the same link cannot be accessed later.

3. API Secret Keys

Payment System Secret:

Information:
- Stripe Secret Key: sk_live_...
- Webhook Secret: whsec_...

Settings:
- Expiration: 6 hours
- Access limit: Once
- Note: Save to environment variables immediately after server setup

4. Temporary Admin Privileges

CMS Super Admin:

Information: WordPress admin account
- URL: /wp-admin
- ID: super_admin_temp
- PW: OneTimeP@ss2024!

Settings:
- Expiration: 3 hours
- Access limit: Once
- Note: To be deleted after emergency fix

Jednorázový odkaz Usage Strategies

Strategy 1: Implement Vícefaktorové ověření

Step 1: Send Link

Slack DM: https://lock.pub/abc123
Message: "Here's the DB access information link"

Step 2: Send Password

Phone or text: "Password is TempDB2024!"

Step 3: Additional Authentication

Include in note: "Additional authentication code will be sent to email after access"

This way, you need to obtain the link, password, and email all together to access.

Strategy 2: Time Limit + One-Time Combination

Settings:
- Start time: Today 14:00
- Expiration: 1 hour after start (auto-expires at 15:00)
- Access limit: Once

Result:
- Before 14:00: Access denied
- 14:00-15:00: Accessible once only
- After 15:00: Auto-expires

You can set it to be available only at the exact time frame for meetings.

Strategy 3: Access Limits by Team Size

Solo Work:

Access limit: Once
Purpose: Emergency work alone

Small Team (2-3 people):

Access limit: 3 times
Purpose: Frontend/Backend/DevOps once each

Medium Team (4-10 people):

Access limit: 10 times
Purpose: Information that the entire team needs to check

Real-World Case Studies

Case 1: Startup Investor Documents

Situation:

Delivering financial statements to investor
- Very sensitive information
- Should only be seen by 1 investor
- Must not be shared with other investors

Solution:

Information: Google Drive link (with permissions set)
Password: InvestorSecure2024!
Expiration: 48 hours
Access limit: Once
Note: Financial statements for investment review.
      Link will auto-delete after checking.

Result:

• Investor checks once
• Link auto-expires
• Even if investor forwards to others, it's invalid

Case 2: Hospital Patient Information Sdílení

Situation:

Transferring patient records to another hospital
- Must comply with privacy laws
- Should only be checked by attending physician
- Must be untraceable after transfer

Solution:

Information: Patient medical record download link
Password: Patient[patient_number]Medical!
Expiration: 24 hours
Access limit: Once
Note: Medical records for [patient name].
      Link expires immediately after checking.

HIPAA Compliance:

• ✅ Encrypted transmission
• ✅ Access restriction
• ✅ Auto-expiration
• ✅ No reuse

Case 3: Dev Team Production Deployment

Situation:

Emergency deployment at 2 AM
- Deliver server access info to DevOps engineer
- Password will be changed after deployment
- Allow temporary access only

Solution:

Information:
- SSH Host: prod-server-01.company.com
- Username: deploy_temp
- Password: DeployNow2024!@#
- Private Key: [attachment file link]

Settings:
- Start: Today 01:50 (10 minutes before deployment)
- Expiration: 3 hours after start
- Access limit: 2 times (main + backup)
- Note: Temporary account for emergency deployment
        Password will be changed immediately after deployment

After Deployment:

03:00 - Deployment complete
03:05 - Delete deploy_temp account on server
03:10 - Link also auto-expires (2 accesses complete before 3 hours)

Omezení of One-Time Links and Solutions

Limitation 1: Accidentally Double-Clicking

Problem:

User clicks link (1st time)
Accidentally clicks again while loading (2nd time)
→ Second click shows "Expired"

Solution:

Set access limit to 2-3 times
Or specify "Click only once" in note

Limitation 2: Page Refresh

Problem:

User accesses page (1st use consumed)
Enters wrong password
Refreshes → Already expired

Solution:

LOCK.PUB doesn't deduct access count
until password is entered correctly

Access (0 deducted)
→ Password entry screen
→ Enter correct password (1 deducted)
→ Redirect to original link

Limitation 3: Mobile Preview

Problem:

Messenger app generates link preview
→ Automatically accesses link
→ 1st use consumed
→ Actually clicking shows already expired

Solution:

Link preview only fetches simple metadata
so it doesn't affect actual access count

One-Time Links vs Other Security Methods

vs OTP (One-Time Password)

OTP:

Pros: Time-based auto-renewal
Cons: Requires app installation, complex setup

One-Time Link:

Pros: No app needed, immediately usable
Cons: Need to manage link itself

Use Together:

Deliver OTP secret via one-time link
→ Maximum security level

vs E2E Encrypted Messengers

Signal, Telegram Secret Chat:

Pros: Messages themselves encrypted
Cons: Recipient must also use same app

One-Time Link:

Pros: Can be delivered via any messenger
Cons: Link itself is plaintext

vs Správce hesel Sdílení

1Password, LastPass Shared Vault:

Pros: Continuous access possible
Cons: Subscription fee, app installation required

One-Time Link:

Pros: Free, optimal for temporary sharing
Cons: Cannot be permanently stored

Checklist: Before Using One-Time Links

Information Sensitivity Check

• ✅ Would leaking this information cause significant damage?
• ✅ Is this information that should not be reused?
• ✅ Should only specific 1 person see it?

User Situation Consideration

• ✅ Can information be copied at once?
• ✅ Accessing from mobile? (difficult to copy)
• ✅ Could network be unstable?

Alternative Preparation

• ✅ How to re-deliver if link expires?
• ✅ Is there an emergency contact method?
• ✅ Did you explain it so the user can understand?

Jednorázový odkaz Setup Guide

Maximum Security Setting

Password: 16+ characters random
Expiration: 1-3 hours
Access limit: Once
Start time: Exact time needed
Note: Include detailed usage instructions

Balanced Setting

Password: 8-12 characters
Expiration: 24 hours
Access limit: 2-3 times (for mistakes)
Note: Simple explanation

Team Sdílení Setting

Password: Match team convention
Expiration: 7 days
Access limit: Team size + 1-2 times
Note: Include team member list

Závěr

One-time links are the "sealed letter" of the digital age. Once opened, they can never be used again, providing the highest level of security.

LOCK.PUB's One-Time Links:

• 🔒 Auto-expires after 1 access
• ⏰ Can be combined with time limits
• 👥 Adjustable to team size
• 📝 Clear guidance with notes

"Only need to see it once" - The safest sharing method

Create one-time link now →