Additional information regarding FIDO2 Security Keys in Keeper
Keeper Administrators can enforce the use of FIDO2 security keys, and require that a security key can be used as the only 2FA method. Security Keys can be enforced for any type of account, including Master Password-based login and SSO login.
Administrators can also require the use of PIN associated with the hardware key.
Screenshot below:
Enforcing the use of a FIDO2 hardware security key has several implications for users which admins need to be aware of. The information below is accurate as of May 2024.
Support for enforcing a FIDO2 Security Key can vary based on the device operating system and device firmware capabilities.
Keeper on iOS currently requires using NFC keys, not plug-in keys.
The activation of security keys as the only factor requires the use of the Web Vault or Desktop App. Enrollment of security keys as the only factor on iOS/Android will be rolled out in a later release.
Some components of the mobile application do not support NFC hardware keys natively, such as iOS app extensions (during Autofill functions). The current solution to handle this issue is to extend the login session between iOS main app and iOS autofill extension to reduce the need for re-authentication. To enable this capability, follow the below steps:
From the Web Vault or Desktop App, go to Settings > Security and enable "Stay Logged In"
From the iOS app, go to Settings > and set the Logout Timer to your preferred value.
Now, using the main iOS app and the Autofill functionality will be logged in together
The PIN requirement is supported based on the capabilities of the device. As of this writing, mobile OS support for PIN enforcements is limited. We do not recommend enforcing the PIN if users are accessing Keeper on their mobile device.