How We Share Credentials Securely — And How You Always Know It’s Really Us

When Always Beyond sends you a new password or access credential, it does not arrive as text in an email or Teams message. Instead, you get a short-lived link. You click it, see the password once, and the link stops working. You may also have noticed that when you request something sensitive — an admin access change, a configuration update, a password reset — we ask you to verify your identity before we proceed.

Both of these practices have specific reasons behind them that go beyond general caution. This post explains what we use, why we use it, and what would happen if we did things differently. It also explains how you can verify that any contact claiming to be from Always Beyond is actually us — which matters just as much as us verifying you.

Why We Don’t Send Passwords by Email or Chat

The instinct when someone needs a password is to put it in an email or a Teams message. It is fast and familiar. It is also one of the least secure ways to transmit credentials — and the problem is not mainly about interception while the message is in transit.

The deeper issue is persistence. A password sent by email does not disappear after the recipient reads it. It sits in the inbox. It gets backed up. It exists in server logs. It may be indexed by Microsoft Search. It could be forwarded. If the recipient’s account is ever compromised — today or three years from now — that credential is right there, waiting. The same applies to Teams messages, which are retained and searchable by default in most Microsoft 365 environments.

🚨  A credential sent by email has an indefinite lifespan. Every account that has ever received a password by email carries that credential in its history until someone actively deletes it — and in a Microsoft 365 environment with archiving or litigation hold enabled, it may be retained regardless of user action.

This is the problem our secure password sharing links solve.

What Our Secure Password Sharing Links Are and How They Work

Rather than sending credentials directly in a message, we generate a secure, one-time link for each credential we need to share with you. You click the link, the information appears once, and then it is permanently deleted from the system.

The step-by-step workflow

1. We enter the credential — a password, a PIN, a temporary code — into our secure sharing system and configure the expiry: typically 1 view and 24 hours, whichever comes first.
2. The system generates a unique secret URL. The credential is encrypted at rest and stored only until the link expires.
3. We paste that URL into your support ticket, email, or Teams message — not the credential itself.
4. You click the link. The credential appears on screen. That counts as one view.
5. The link expires immediately on reaching its view limit. The credential is permanently deleted from the system. The URL cannot be opened again.

💡  If you click the link and it shows ‘expired’ or ‘not found,’ either the link has already been viewed — which is worth flagging to us, as it may mean someone accessed it before you — or it timed out. In either case, contact us through your Always Beyond Support Portal and we will generate a new one.

What this protects against

• The credential never exists in your inbox, chat history, or any server log in readable form — only the URL does, and the URL is meaningless once expired
• If your email or Teams account is compromised later, an attacker searching your message history finds nothing usable
• Every access to the link is logged with a timestamp and IP address — unexpected access before you open it is detectable
• You can delete a link yourself before it expires if needed, cutting off access immediately

How we separate credentials from context

Security is further improved when the credential and the information needed to use it travel through different channels. We apply this in our workflow:

• The credential itself: delivered via secure link — expires on first view
• The system it applies to and the username: communicated in the ticket or message thread, separately from the credential
• Any passphrase required to open the link: communicated verbally or through a separate channel for higher-sensitivity requests

✅  A password alone is of limited value to someone who does not know what system it belongs to, what username it pairs with, or that it was sent to you at all. Keeping these pieces separate means a compromised email account yields very little even in a worst-case scenario.

How We Verify Your Identity Before Acting on Sensitive Requests

The other side of this is making sure that when someone contacts us claiming to be you — or claiming to act on your behalf — we are actually dealing with the right person before we take any consequential action.

IT support is a well-documented social engineering target. Attackers who want access to a business do not always attempt a technical breach. They contact the IT provider, claim to be the business owner or an employee, and request a password reset or permission change. This works when the provider acts without adequately confirming who they are speaking to. The Scattered Spider group built an entire attack methodology around this exact approach — calling corporate helpdesks, impersonating employees, and talking their way through credential resets to gain network access.

We use a structured identity verification process for sensitive requests — one that removes technician judgment from the equation entirely. Rather than asking you a security question or relying on a callback we could get wrong, our system triggers a verification push directly to the authenticator app or phone number already registered to your account. You confirm with a tap or a code. We cannot proceed until that confirmation arrives. Here is how it works.

What triggers identity verification

Not every request requires the same level of confirmation. Routine support — a software question, a connectivity issue, a non-critical settings change — proceeds through normal ticket channels. The following always trigger our identity verification process:

• Password resets for any account, particularly administrator or owner-level accounts
• MFA reset or removal for any user
• Changes to account permissions or access levels
• Adding or removing users from your Microsoft 365 tenant
• Any request involving financial systems, payroll platforms, or banking-connected integrations
• Requests made urgently or outside normal business hours involving account access
• Any request that appears inconsistent with your organization’s established patterns

How our verification process works

⚠️  We will never skip identity verification because a request is described as urgent. Urgency is one of the most reliable social engineering tactics — pressure to act quickly before checking properly. A request that claims time sensitivity and asks us to bypass verification is itself a flag we will act on, not around.

How You Can Verify That It’s Really Always Beyond

This is the half of the equation that is easy to overlook — but it matters just as much. Attackers impersonate IT providers to extract credentials from end users. They call with IT-sounding pretexts, send convincing emails, and ask users to hand over passwords, install remote access tools, or click links. The call often sounds completely legitimate because the attacker has gathered enough background information about your organization to be credible.

You should verify that you are dealing with us before providing any credentials, granting remote access, or acting on any security-related instruction you were not already expecting. Here is how.

How to verify it’s really us

Before you provide any credentials, grant remote access, or act on a security-related instruction, you can confirm the identity of the Always Beyond technician you are dealing with. We have a built-in verification workflow specifically for this — and it takes less than a minute.

• Ask for a verification code: When a technician contacts you, you can request a technician verification at any time. Our system instantly sends a unique matching code to both you and the technician simultaneously — by SMS, through your Always Beyond Support Portal, or via Microsoft Teams, depending on how you prefer to receive it. If the code the technician reads to you matches the one you received, you are speaking to a verified Always Beyond technician. If they cannot provide the matching code, do not proceed.
• Check your open tickets: Every legitimate Always Beyond interaction is connected to a ticket in your Always Beyond Support Portal. If someone contacts you about a support issue but there is no corresponding ticket, that is a significant warning sign. Log in to your portal independently and confirm the ticket exists before taking any action.
• Call us back on your known number: If you are uncertain about any contact and prefer to verify outside of the code workflow, hang up and call us back directly using the number in your Always Beyond Support Portal or on our website — not any number the caller provides. We will never take offence at this.
• Check the full email address, not just the display name: Emails from Always Beyond come from our domain. Attackers use lookalike domains — alwaysbeyond.co instead of .com, or substituting a zero for an O. The display name on an email can be set to anything; the actual sending domain cannot be easily faked in a way that passes standard email authentication.
• Verify remote access sessions through your established tools: When we initiate a remote session, it comes through your ticketing system or the remote access tool your organization already uses. We do not cold-call and ask you to download and run new remote access software mid-conversation. If someone does this, treat it as suspicious.

📋  The technician verification code is the fastest and most reliable way to confirm you are speaking to an Always Beyond technician — particularly for phone calls or remote sessions where you did not initiate the contact. A legitimate technician will always be able to provide it. If they cannot, stop the interaction and contact us directly through your Always Beyond Support Portal.

Red flags that should make you stop

• Someone claiming to be Always Beyond asks for your password verbally, over chat, or by email — we will never do this
• You are asked to install remote access software from a link sent in an email or chat message, outside of an established workflow
• Someone calls claiming urgent action is needed and asks you to skip normal verification steps
• You receive a secure credential link you were not expecting and no one told you to look for
• The writing style or tone of a message claiming to be from us is noticeably different from our normal communications

🚨  If something feels wrong, stop and verify before taking any action. A legitimate request delayed by 10 minutes costs nothing. Acting on a malicious request can cost significantly more. Any genuine Always Beyond technician will understand and support the pause.

Why Both Directions of Verification Matter

Social engineering attacks against IT support have become one of the most reliable and consistently exploited tactics in modern cybercrime — not because the technology fails, but because the human verification process does. Credential theft is now involved in more than 20% of all data breaches, and the service desk is one of the most targeted points for escalating that theft into full account access.

The attack works from both directions. Attackers impersonate employees to manipulate IT providers into resetting credentials and granting access. They also impersonate IT providers to manipulate employees into handing over credentials or installing tools that provide access. Neither approach requires any technical sophistication — just enough background knowledge to seem legitimate and enough pressure to short-circuit verification.

The workflows described in this post are designed to close both gaps:

• Our secure password sharing links remove the persistent credential trail from email and chat, so compromised accounts yield nothing usable from past support interactions
• Our identity verification process means that knowing your name, email address, and employer is not sufficient to manipulate us into acting on your account
• Your ability to verify us means that knowing our name and enough about your systems is not sufficient to manipulate you into providing access

Together, these close the two most commonly exploited gaps in IT support security — not by adding complexity, but by making the right habits the default on both sides.

What We Ask of You

Most of this runs in the background. But a few habits on your side make the whole system work:

1. Open secure credential links promptly: Links typically expire after one view and 24 hours. If you receive one and cannot open it right away, let us know so we can time the delivery appropriately. Do not forward the link — once forwarded, it can be opened by anyone who receives it.
2. Tell us immediately if a link shows as expired when you open it for the first time: This may mean someone else accessed it before you. We will revoke and reissue, and we will check whether the link was accessed unexpectedly.
3. Use your Always Beyond Support Portal for sensitive requests: Requests submitted through your authenticated portal give us the strongest confirmation of your identity. For anything involving accounts, permissions, or credentials, the portal is the preferred channel.
4. Call us back when you are uncertain: If you receive communication claiming to be from Always Beyond that you were not expecting, or that asks for something unusual, call us directly before taking any action. The number is in your Always Beyond Support Portal and on our website.
5. Request a technician verification code whenever you want one: You do not need a reason to ask for verification. Any time a technician contacts you and you want to confirm their identity, ask for the code. A legitimate Always Beyond technician will provide it immediately without hesitation.

Frequently Asked Questions

Can I send credentials back to Always Beyond using a secure link?

Yes, and we encourage it. If you ever need to provide us with a password or access credential — for a system we are configuring or accessing on your behalf — using a secure link is the right approach. Go to pwpush.com, enter the credential, set it to expire after 1 view, and paste the link into your support ticket. The credential is never visible in your ticket history or ours after we retrieve it.

What if I accidentally try to open a secure credential link a second time?

If a link is set to 1 view, it expires immediately after the first open. A second attempt shows an expired page. This is expected — the credential was displayed once and is now permanently deleted. If you need it again, contact us through your Always Beyond Support Portal and we will generate a new link.

Are my credentials stored somewhere permanently?

No. Our secure sharing system deletes the credential from its database when the link expires — on first view or at the time limit, whichever comes first. The deletion is permanent and unrecoverable by design. Even if the service itself were ever compromised, expired links leave nothing to find.

What if someone at my organization requests a change from Always Beyond that I didn’t authorize?

This is exactly what our verification process is designed to prevent. For any change affecting account access, permissions, or security configuration, we confirm with an authorized contact at your organization before proceeding. If you are ever concerned that an unauthorized request was made on your behalf, contact us immediately — we will review the ticket history and take appropriate action.

We got an unexpected call from someone saying they’re from Always Beyond. What should we do?

Ask for a technician verification code. Our verification system will send a matching code to both you and the technician simultaneously. If the code they provide matches yours, the call is legitimate. If they cannot provide a matching code, end the call and contact us directly through your Always Beyond Support Portal. Do not install software, provide credentials, or take any other action until you have verified.

Why does Always Beyond use secure links instead of encrypted email?

Encrypted email protects a message in transit, but the credential still lands in your inbox and persists there. Our secure sharing links go a step further — the credential is never in your inbox at all, and it is automatically deleted the moment you access it. The one-time link approach also gives us visibility into whether and when the credential was accessed, which encrypted email does not provide. For routine credential delivery, our secure sharing links are the right tool.

Security That Works Both Ways

The tools and processes described here are not unique to Always Beyond — they represent how IT support should operate in an environment where impersonation attacks are routine and social engineering is one of the most reliable paths into a business network.

What we can offer is clarity: you know exactly how we handle your credentials, you know what to expect when we need to verify your identity, and you know how to verify ours. That transparency is part of what a managed service relationship should provide — not just technical capability, but visible, consistent processes you can understand and rely on.

If you have questions about any of these workflows, want to walk through the verification process with your team, or want to establish similar habits for sensitive internal requests at your organization, reach out through your Always Beyond Support Portal or contact us directly.

Questions about how we handle your credentials or want to walk through verification with your team? Log in to your Always Beyond Support Portal to submit a ticket, or reach out to Always Beyond directly. We are happy to walk through our security workflows with you or any member of your team.