From my perspective this feature will not give realistic security benefit. To my knowledge a user cannot just “use” a password without “reading” it. There is no simple mechanism to prevent a user that can use a password to sneak behind the inner working of the application or a given webpage to get access to this information. For example a user could very much use the development tools of their browser to inspect the content of the webpage where the password is used and capture the information when it’s pasted in the page or in transit over the network.
The solution from my perspective is:
- Password rotations, e.g. if a user leave the organization somebody need to update all the passwords this person had access to.
- One time passwords access: As a logged in user I can request a one-off access to a given password