diff --git a/src/applications/passphrase/controller/PassphraseCredentialRevealController.php b/src/applications/passphrase/controller/PassphraseCredentialRevealController.php
--- a/src/applications/passphrase/controller/PassphraseCredentialRevealController.php
+++ b/src/applications/passphrase/controller/PassphraseCredentialRevealController.php
@@ -21,12 +21,8 @@
       return new Aphront404Response();
     }
 
-    $view_uri = '/K'.$credential->getID();
+    $view_uri = $credential->getURI();
 
-    $token = id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
-      $viewer,
-      $request,
-      $view_uri);
     $is_locked = $credential->getIsLocked();
 
     if ($is_locked) {
@@ -39,7 +35,7 @@
         ->addCancelButton($view_uri);
     }
 
-    if ($request->isFormPost()) {
+    if ($request->isFormOrHisecPost()) {
       $secret = $credential->getSecret();
       if (!$secret) {
         $body = pht('This credential has no associated secret.');
@@ -76,6 +72,7 @@
 
       $editor = id(new PassphraseCredentialTransactionEditor())
         ->setActor($viewer)
+        ->setCancelURI($view_uri)
         ->setContinueOnNoEffect(true)
         ->setContentSourceFromRequest($request)
         ->applyTransactions($credential, $xactions);
diff --git a/src/applications/passphrase/storage/PassphraseCredential.php b/src/applications/passphrase/storage/PassphraseCredential.php
--- a/src/applications/passphrase/storage/PassphraseCredential.php
+++ b/src/applications/passphrase/storage/PassphraseCredential.php
@@ -52,6 +52,10 @@
     return 'K'.$this->getID();
   }
 
+  public function getURI() {
+    return '/'.$this->getMonogram();
+  }
+
   protected function getConfiguration() {
     return array(
       self::CONFIG_AUX_PHID => true,
diff --git a/src/applications/passphrase/xaction/PassphraseCredentialLookedAtTransaction.php b/src/applications/passphrase/xaction/PassphraseCredentialLookedAtTransaction.php
--- a/src/applications/passphrase/xaction/PassphraseCredentialLookedAtTransaction.php
+++ b/src/applications/passphrase/xaction/PassphraseCredentialLookedAtTransaction.php
@@ -30,4 +30,10 @@
     return 'blue';
   }
 
+  public function shouldTryMFA(
+    $object,
+    PhabricatorApplicationTransaction $xaction) {
+    return true;
+  }
+
 }