There’s one credential scenario most MSPs handle badly and rarely talk about: two-factor authentication seeds for client accounts.
A client’s Office 365 Global Admin is protected by 2FA. So is their firewall management portal, their domain registrar, their DNS host, their backup console. Each of those accounts has an authenticator seed — a secret string that generates the six-digit codes. When you set up the 2FA, you either scan a QR code or get a text string. That string is the seed. If you lose it, recovering access to the account is a painful support call to the vendor. If someone else gets it, they can generate valid OTP codes without the device you set it up on.
The question is: where does that seed live in your MSP?
The honest answer, for most shops: a phone. Maybe a shared team phone running Google Authenticator. Maybe one technician’s personal Authy account. Maybe a screenshot in a Teams channel. Sometimes a text file in a shared folder.
None of these are good answers. The phone becomes a single point of failure. The screenshot is unencrypted. The Authy account leaves when the technician does. And none of them are connected to the client record they belong to, so when that account credential needs to change or rotate, the 2FA seed is somewhere else entirely.
Weavestream keeps the seed alongside the password, encrypted the same way, visible to the same people, and accessible from the same place.
TOTP Secrets Are a First-Class Field
In Weavestream’s password vault, every credential record has a TOTP field. When you paste in a TOTP secret — the base32 string you’d normally hand to an authenticator app — Weavestream:
- Encrypts the secret with AES-256-GCM, the same envelope encryption used for the password itself
- Associates it with the credential it belongs to, inside the tenant it belongs to
- Generates the current six-digit OTP code and displays it inline, with a countdown timer showing how many seconds are left before it rolls
There’s no separate app to open. No phone to find. You open the client’s credential in Weavestream, and the current code is already there.
The vault supports SHA1, SHA256, and SHA512 TOTP algorithms — which covers every service that follows RFC 6238 and then some.
What This Solves for MSPs
The practical change is that your 2FA seeds are now where your credentials are. That has a few downstream effects worth spelling out.
Access follows the same RBAC rules. If a technician doesn’t have access to a particular company’s passwords, they also don’t have access to that company’s TOTP codes. You don’t need a separate policy for who can see 2FA seeds — the vault’s existing role-based access handles it.
Every code reveal is logged. Weavestream writes an audit event every time a credential’s secret is decrypted — and this extends to TOTP. You get a tamper-resistant record of who accessed which credential, at what time, and from what IP. For compliance-minded MSPs or anyone who’s had to investigate an incident, this matters.
Onboarding and offboarding stops creating gaps. When a technician leaves and you remove their vault access, they lose access to the 2FA seeds at the same time as everything else. There’s no separate authenticator app to revoke, no phone to wipe, no Teams channel to clean up.
The seed travels with the credential. If you archive a password, the TOTP is archived with it. If you link the credential to an asset, the TOTP is part of that record. The seed doesn’t live on a device or in a separate system — it’s part of the documentation.
Breach Detection on Every Save
Alongside TOTP, Weavestream runs a HaveIBeenPwned lookup on every password you save or update. The mechanism uses k-anonymity: only the first five characters of the SHA-1 hash are sent to the HIBP API, and the comparison happens locally. The full password never leaves your server.
If a credential matches a known breach, you’re told about it at save time. This catches the most common credential hygiene failure at MSPs — passwords that were set years ago, reused across clients, and quietly compromised in a breach that nobody noticed.
You can disable the HIBP check with HIBP_ENABLED=false in your .env if your deployment can’t reach the external API, but it’s on by default.
Every Password Change Is Versioned
When a credential is updated in Weavestream, the previous state is preserved as an immutable PasswordVersion record. This captures:
- The previous password ciphertext
- The previous username, URL, and name
- The actor who made the change and the timestamp
Version history can’t be deleted. Archived passwords keep their history. If a client’s admin account stops working and you need to know what the password was before someone changed it last Tuesday, you can look it up.
This is the kind of thing that feels unnecessary until the moment you need it — usually during an incident or an offboarding dispute.
Envelope Encryption and Key Rotation
The same encryption model covers passwords, TOTP secrets, and notes. Each secret is encrypted with AES-256-GCM using a key identified by a configurable kid. The ciphertext blob carries the kid, so rotating to a new key is non-destructive: old blobs decrypt seamlessly under the previous key and re-encrypt under the current one on the next update.
For MSPs running Weavestream for compliance-sensitive clients, this means you can rotate encryption keys on a schedule without a migration event or data loss.
Where This Fits in the Vault
To be clear about what’s in scope: this isn’t about managing 2FA for your technicians’ accounts (that’s handled by Weavestream’s forced TOTP on every user login). This is specifically about the 2FA seeds for client accounts that your technicians need to access — the services you manage on behalf of your clients.
The credential record in Weavestream is designed to hold everything relevant to a single account: the username, the password, the URL, the 2FA seed, the associated notes, the expiry date, and optionally a link to the asset the credential belongs to. That completeness is the point. When a technician opens a client’s firewall password at 2am, they shouldn’t have to go anywhere else to get the six-digit code.
For MSPs looking to get a handle on where their client 2FA seeds are living — and what happens to them when a phone breaks or a technician quits — Weavestream’s vault is a straightforward answer. Everything encrypted, everything versioned, everything in one place.