Hiding one-time password secrets


Hi, first of all, 1Password for Teams is amazing! We're in the process of getting everyone in our small company to use it and so far it's been smooth sailing, thank you!

The one-time password feature is very handy and it allows us to enable 2FA on shared accounts. However, it would be even more useful if it was possible to hide the secret completely, i.e. only show the generated code. If I'm not wrong, this would pretty much solve the issue of disgruntled ex-employees using passwords to do harm as they would require constant access to the 1Password vault to get the always changing 2FA codes. With users being able to reveal the secret however, they can just take the secret with them and keep generating codes on their own devices.

As far as I can tell hiding secrets is not possible currently, is it something you'd be willing to implement?

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided


  • Hi @AntiPaste,

    Thank you for the kind words. I'm happy that 1Password Teams has been working well for you so far.

    You're right that it's not currently possible to completely hide the TOTP secret. However, you can get pretty close, possibly close enough for what you're looking for. With the Pro plan of 1Password Teams, you can use more fine-grained access control. One of those options is called "Reveal Password". By not granting a user that access, you're telling 1Password that they should be able to use a Login item in our browser extensions, but that 1Password should do what it can to disallow the user from seeing the actual password value. Now... I'm talking about passwords here and not TOTP, but the effect is the same there. They would be able to read the current TOTP value, but not be able to Edit, or Export, or Copy the item to another vault: barring them access to the secret.

    Does that sound reasonable?


  • What about making the vault with these items read-only? I think you could obtain the TOTP secret only by editing or exporting the items?

  • AntiPaste
    Community Member
    edited January 2018

    Thanks for the replies!

    I trialed the Pro version and took a look at the access control options. The generation of the TOTP code still happens client-side, a one-line modification to the extension reveals the TOTP secret. The access controls very likely work for most users, but sadly our team is full of highly technical people so we cannot put our trust into obscurity.

    As I understand it, the code generation would have to be moved server-side which would mean that the 1Password servers would have knowledge of the secret, which is fine by me since the passwords and other data is still encrypted, but I understand that it would rattle the nerves of other users.

    The more I think of it, the more complicated it seems!

  • roustem
    edited January 2018

    Aha, I kept thinking about the native clients and missed the part about the web client. We certainly do no want to know your secrets on the server side.

    Perhaps you could hide this vault and not show it in the web client at all? In the Vault Details page, there is an "App Access" section that allows you to choose where this vault could appear.

This discussion has been closed.