Vault Offline Access

Offline access is a common use case for organizations who require vault access in poor network conditions or when SSO is unavailable.

Overview

Offline Mode allows users access to their vaults from any device when they are not able to connect online to Keeper or to their SSO Identity Provider. Offline access is available for Keeper Web, Desktop, iOS and Android Mobile Apps.

This capability works by making a copy of your encrypted vault to your local device. The vault ciphertext is stored in an encrypted format which is only accessible if the user provides their Master Password or biometric authentication. Offline access also works with multiple accounts on the same device.

Offline Authentication Methods

  • Master Password

  • Biometrics

Platforms that Support Offline Access

Mobile

iOS

Mobile

Android

Desktop

Keeper Desktop (Mac, Windows, Linux)

Web Browser

Web Vault (Chrome, Safari, Firefox, Edge)

Work Offline with an SSO Enabled Account

If your organization's SSO is not available (e.g. is offline), click Work Offline in the lower right corner of your screen then click Enterprise SSO Login > SSO User with a Master Password to gain access to your vault offline.

Work Offline
SSO Master Password for Offline Login

From the login screen, enter your Master Password to login offline.

SSO Login with Master Password

For users who normally login with SSO and do not have a Master Password setup, you must first configure one in order to login to Keeper when offline by visiting your vault Settings Menu.

Email Address > Settings

This feature can be activated by the Keeper Administrator from the Keeper Admin Console. The role enforcement policies are documented here.

Offline Setup

To access Offline Mode, your device will need to be “primed” with a local copy of your vault by logging in with an online connection at least once. Moving forward, you will have access to all of the records in your vault and you can create new records and edit existing records, all without requiring a network connection.

Users can confirm their Keeper Vault is available offline via a lightning bolt icon or "Available Offline" text which indicates your vault data has been loaded onto that device. If the availability indicator is not present, you will need to login to your vault at least once while online.

Offline Availability on Web and Desktop
Offline Availability on iOS
Offline Availability on Android

Work Offline

To activate Offline Mode from the vault login screen or from within your vault on Keeper Web or Desktop, click on the Work Offline button in the lower right corner of your screen. On iOS and Android, Offline Mode will automatically be initiated when logging in if you aren't connected to the internet.

Activate Offline Mode from the Vault Login Screen
Activate Offline Mode from Within Your Vault

The "Offline Mode" indicator will appear at that top of your vault window.

Offline Mode Indicator

Biometric Login

When biometrics (Touch ID, Windows Hello) have been activated on an account from the Keeper Desktop application, you can use this to authenticate offline instead of a Master Password.

To login offline with biometrics, first activate it from the Settings > Security screen.

Enable Biometrics

To login offline with biometrics, click on Work Offline, then click on the Touch ID or Windows Hello icon.

Login Offline with Biometrics

Resuming Online Session

You can resume a session online at anytime (provided you have a stable network connection) by clicking Go Online in the upper right corner of your vault window.

Offline Features

Keeper's offline capabilities are central to a user's ability to retrieve important data even in the poorest of network conditions. Key vault features that are available offline include:

  • Creating new records

  • Editing records

  • Moving records and shortcut creation (Mobile App)

  • Viewing your Security Audit score

  • Viewing Deleted Items (Web and Desktop)

A notice will appear if you attempt to perform an action that is not available while offline.

Feature Unavailable Notification

If a device is being used temporarily (e.g. a borrowed PC), then the stored offline vault can be deleted from that device.

From the vault login screen, click the dropdown icon in the email address field, then click the "X" to the right of your email address to delete all offline data associated with that vault from the device. This action can be similarly performed on all Keeper platforms.

Deleting Offline Data

When logging in offline on a Web Browser (Chrome, Firefox, Safari, Edge), the user must navigate to the exact URL: US Data Center: https://keepersecurity.com/vault US Public Sector / GovCloud: https://govcloud.keepersecurity.us/vault EU Data Center: https://keepersecurity.eu/vault AU Data Center: https://keepersecurity.com.au/vault CA Data Center: https://keepersecurity.ca/vault JP Data Center: https://keepersecurity.jp/vault

Administrative Guide

Admin Console Interface for Offline Mode

Offline access for users can be enabled or disabled via the Admin Console's Enforcement Policies menu with a simple toggle, by default Offline Access is enabled.

Restrict Offline Access Enforcement

Offline SSO & Master Password

To provide users who normally login with SSO the ability to access their vault in offline mode, the Keeper Administrator can enable the use of a Master Password as a role-based enforcement, this feature is disabled by default.

To enable SSO users the ability to set a Master Password for offline access, turn "on" the Allow users who login with SSO to create a Master Password toggle in the Login Settings section of Enforcement Policies menu.

SSO Master Password Enforcement (Disabled by Default

Considerations for Offline Access:

  • In order have a local repository to access offline the vault needs to have been authenticate and synchronized online first at least once.

  • Ensure that the Remember Email checkbox is selected at the login screen of the Web Vault.

  • The data in the vault will be as current as the last data push.

  • Master Password or Biometrics support offline access.

  • By definition, Two-Factor Authentication protects cloud-based APIs and online authentication. When users authenticate to their vault, they authenticate both locally and on the server. During offline mode, the user is authenticating locally and decrypting their vault. Therefore, during offline mode, users are not prompted for Two-Factor Authentication.

  • If 2FA is enforced for every login from role policies or user selection, offline mode will not function on that particular device.

Last updated