Biometric login flow details for PowerShell Module
Biometric login allows users to authenticate using a biometric credential (fingerprint, face scan, pin or other secure token) without entering a password. Keeper treats these credentials as cryptographic tokens tied to the user.
A biometric credential is generated locally on the user’s device.
This creates a public/private key pair.
The private key is stored securely on the device and never leaves the device.
The public key
When logging in with biometrics, the device signs a cryptographic challenge using the private key.
This signed challenge (token/assertion) is sent to Keeper.
Keeper validates the signature using the previously registered public key.
If validation succeeds:
Zero-Knowledge Security – Keeper never receives biometric data or the private key; it only stores the public key.
Device-Bound Credentials – The credential is tied to the device that created it.
Password-less Login – Once registered, the credential can replace the master password or any default 2fa.
Fallback Methods – Users can still use passwords or other 2FA methods if biometric login fails.
Power Commander supports Biometric login with Windows Hello only.
Prerequisites:
Needs windows 11 or higher
PowerCommander version 1.0.7
This is list of commands supported
This command creates a new passkey with currently logged in user's email. this passkey will be used for authenticating user when they want to login once we register biometric login on a device.
To use this command, you have to be logged in on CLI.
Note:
After executing this command, user has to register the device with Keeper to use biometric as default login method.
Persistent login takes precedence over biometric login, so if the device has persistent login enabled, biometric credentials are not required during login.
Execution:
Support: This Command supports Windows Hello only.
Flags:
PassThru : this flag will prevent printing of credential ID and such details from printing, when set to true this prints the details, else details are not printed.
Examples
With PassThru flag
Without PassThru flag
This command shows all the credentials which have been registered to the given account, along with the authenticator type, credential ID, date created and last used date
To use this command, you have to be logged in on CLI
Execution:
Flags
IncludeDisabled - This will show the details of credentials which are used earlier but are no longer active along with active ones
Example
This command will be used to authenticate your session with credential stored. This same functionality will be used when we are trying to login using biometrics.
Execution:
Flags:
Purpose - This can be either login or reauth . This tells the server whether we are trying to check credential for logging in or to verify whether we are logged in.
PassThru - This will decide whether we are showing the command output related to credential ID etc . by default this is false, so we won't be seeing any such output details.
Sample Output
This command will be used to deactivate biometric credential from Keeper, meaning the Keeper platform will stop accepting the given cryptographic credential for logging in the user
Execution:
Flags :
CredentialId - this is the credential ID of the credential to be deactivated. if nothing is given then all biometric passkeys will be disabled
PassThru - This is the filter for result, this is by default false, so no output related to technicalities is returned to user when executing this command, but if this flag is given, then user can see the details of credential deleted
Example output :
Keeper now associates this public key with the user for future authentication.
Keeper treats the token as proof of identity.
The user is granted access to the vault/session.
Register-KeeperBiometricCredentialPS>Register-KeeperBiometricCredential -PassThru
Biometric Credential Creation for Keeper
Please complete Windows Hello verification to create the credential...
Credential ID stored for user: <user>
Credential created successfully
Success! Biometric authentication "<user>" has been registered.
Please register your device using the "Set-KeeperDeviceSettings -Register" command to set biometric authentication as your default login method.
Name Value
---- -----
Username <user>
Timestamp 26-09-2025 08:01:08
DisplayName <user>
CredentialId ...W25xo-z_9QyWdti5CsQ
Success TruePS>Register-KeeperBiometricCredential
Biometric Credential Creation for Keeper
Please complete Windows Hello verification to create the credential...
Credential ID stored for user: <user>
Credential created successfully
Success! Biometric authentication "<user>" has been registered.
Please register your device using the "Set-KeeperDeviceSettings -Register" command to set biometric authentication as your default login method.Show-KeeperBiometricCredentialsPS> Show-KeeperBiometricCredentials -IncludeDisabled
Registered Biometric Authentication Methods:
----------------------------------------------------------------------
Id: ....w6ZGlzYWJsZWQ=
Name: Platform Authenticator (DISABLED)
Created: 2025-09-25 10:22:17
Last Used: 2025-09-25 11:12:00
----------------------------------------------------------------------
Id: YlDRvVIYsC0.....
Name: Platform Authenticator
Created: 2025-09-25 12:17:10
Last Used: 2025-09-25 12:26:28
----------------------------------------------------------------------Assert-KeeperBiometricCredentialPS> Assert-KeeperBiometricCredential -Purpose vault -PassThru
Verification completed successfully!
Name Value
---- -----
Username <username>
Message Windows Hello authentication with Keeper completed successfully
EncryptedLoginToken {}
Purpose vault
CredentialId ....RRR2nPv78NMuM
Success True
IsValid TrueUnregister-KeeperBiometricCredential -CredentialId <credentialId> -PassThruPS>Unregister-KeeperBiometricCredential -PassThru
Are you sure you want to permanently remove ALL biometric authentication for user '<username>'? (y/N): : y
Successfully unregistered passkey on server
Successfully unregistered credential for <username>@keepersecurity.com
Name Value
---- -----
Username <username>
Message Biometric credentials unregistered successfully
CredentialId ......OfRGyfRRR2nPv78NMuM
Success TrueInstalling the Keeper Commander PowerShell Module
A version of Keeper Commander is developed in .Net with a PowerShell module. This is published to the PowerShell Gallery as the PowerCommander module. This document provides instructions for installing and using this PowerShell Module.
Keeper's PowerShell command-line tool (PowerCommander) provides basic vault access and administrative functions.
PowerShell module for Keeper Commander is available on the PowerShell Gallery:
To install PowerCommander from PowerShell Gallery:
To run the PowerCommander module from the source, refer to the following GitHub Link:
Set Execution Policy Permissions
If you are unable to run PowerCommander commands, you may need to set the Execution Policy. To check this, run the following command:
Your output would be similar to this:
If the Scope for your installation is Undefined or Restricted, set it to Unrestricted with the following command:
Note: The above command sets the CurrentUser scope
If biometric authentication is configured on your device, you can use Windows Hello to log in to Keeper Commander. This allows you to bypass both the Master Password and two-factor authentication (2FA) for a faster, secure login experience.
For Windows users, ensure Windows Hello is configured:
Navigate to Settings > Accounts > Sign-in options > Windows Hello
Set up Face recognition, Fingerprint, or PIN
First, login to Keeper Commander with your Master Password (or SSO), then register biometric authentication:
Biometric authentication prompt (fingerprint or Face ID) will be displayed.
Register by authenticating with your fingerprint or faceID when prompted by the system.
With successful fingerprint or faceID authentication the registration will be completed:
To use biometric authentication as your default login method, you must register your device
Not all capabilities of Keeper Commander (Python) have been added to the PowerShell module. We add them on request by customers. If you have requests for our engineering team, please email [email protected].
Connect To Keeper Account
List the content of Keeper folder
f - folder
r - record
S - shared
A - file attachments
Show Two Factor Code for all records in the current Keeper folder
Show Two Factor Code for all records in the Vault.
where
kr is alias for Get-KeeperRecord
2fa is alias for Show-TwoFactorCode
Copy record password to clipboard
where
contro is a substring of the record title. See last entry of kdir output in example #2
kcc is alias for Copy-KeeperToClipboard
or
'ktY3jEBqwFDi9UYZSxmIpw' is the Record UID of the same record
Add/Modify Keeper record
creates a legacy record in Keeper
creates a record of login type in Keeper
generates a new password for existing record
Pre-defined fields supported by both legacy and typed records
login Login
password Password
url Website Address
Copy owned record to folder
copies all records in the current Keeper folder to the folder with name 'Shared Folder'
List all enterprise users
Create a new Managed Company
Switch to a new Managed Company
kcd
Change Keeper folder
Get-KeeperChildItem
kdir
Display subfolder and record names in the current Keeper folder
ko
Get Keeper object by UID
kr
Enumerate all records
kadd
Add/Modify Keeper record
kdel
Delete Keeper record
ksf
Enumerate all shared folders
kmv
Move records to Keeper folder
kmkdir
Create Keeper folder
Edit-KeeperFolder
krmdir
Remove Keeper folder
krti
Get Record Type Information
Copy-KeeperToClipboard
kcc
Copy record password to clipboard
Show-TwoFactorCode
2fa
Display Two Factor Code
t
kda
Download file attachments
Copy-KeeperFileAttachmentToStream
Download file attachement to stream
Upload file attachment to a record
kwhoami
Print account license information
Print the current device settings
this-device
Modifies the current device settings
Get-KeeperPasswordVisible
Show/hide secret fields setting
Set-KeeperPasswordVisible
Sets whether password fields should be visible or not
Add a new custom Keeper Record Type.
Update an existing custom Keeper Record Type.
Delete a custom Keeper Record Type by its ID.
Imports custom record types into Keeper from a JSON file.
Downloads custom record types from Keeper Vault to a JSON file.
Get-KeeperRecordPassword
Gets the password from a Keeper record by name, title, UID, or record object.
Get-KeeperPasswordReport
Generate comprehensive password security report for Keeper records.
kshf
Add a user or team to a shared folder
kushf
Remove a user or team from a shared folder
kat
Get available teams
kotsg
Get One-Time Shares for a record
kotsn
Create One-Time Share
kotsr
Remove One-Time Share
Get-KeeperEnterpriseTeamUser
ketu
Get a list of enterprise users for team
kena
Create Node (new)
invite-user
Invite User to Enterprise (new)
lock-user
Lock Enterprise User
unlock-user
Unlock Enterprise User
transfer-user
Transfer user account to another user
delete-user
Delete Enterprise User
ker
Enumerate all enterprise roles (new)
Get-KeeperMspLicenses
msp-license
Return MSP licenses
Switch-KeeperMC
switch-to-mc
Switch to Managed Company (new)
Switch-KeeperMSP
switch-to-msp
Switch back to MSP (new)
Get-KeeperManagedCompany
kmc
Enumerate all enterprise managed companies
New-KeeperManagedCompany
kamc
Create Managed Company
Remove-KeeperManagedCompany
krmc
Remove Managed Company
Edit-KeeperManagedCompany
kemc
Edit Managed Company
Get-MspBillingReport
Run MSP Billing Report
Get-KeeperNodeName
Return Name of current Enterprise Node
Get-KeeperRoleName
Get Display Name of Enterprise Role
Create an enterprise team
Get-KeeperEnterpriseRoleUsers
Get a list of enterprise users for a role
Get-KeeperEnterpriseRoleTeams
Get a list of enterprise teams for a role
Get-KeeperEnterpriseAdminRole
Get a list of Administrator Permissions
Remove-KeeperEnterpriseTeamMember
Removes existing enterprise users from a Keeper team.
Add-KeeperEnterpriseTeamMember
Adds existing enterprise users to a Keeper team.
ksm-unshare
Remove a Shared Folder from KSM Application
ksm-addclient
Add a client/device to KSM Application
ksm-rmclient
Remove a client/device from KSM Application
Grant Keeper Secret Manager Application Access to a user
Revoke Keeper Secret Manager Application Access from a user
O - owner
kc
Login to Keeper
kq
Logout and clear the data
Registers a new biometric credential (Windows Hello/WebAuthn)
Checks if a biometric credential exists for the current user
Lists all biometric credentials registered for the current user
kc
Login to Keeper server
ks
Sync with Keeper server
Logout and clear the data
Get-KeeperLocation
kpwd
kshrsh
Show a record sharing information
kshr
Share a record with user
kushr
Remove record share from user
ktr
ked
Sync Keeper enterprise information
ken
Enumerate all enterprise nodes
keu
Enumerate all enterprise users
ket
ksm
Enumerate all Keeper Secret Manager Applications
ksm-create
Add a Keeper Secret Manager Application
Delete a Keeper Secret Manager Application
ksm-share
List passwords which are breached based on breachwatch
check a given password against breachwatch passwords
Ignore a given record from breachwatch alerts
Get-KeeperIgnoredBreachWatchRecords
Registers a new biometric credential (Windows Hello/WebAuthn)
Checks if a biometric credential exists for the current user
Lists all biometric credentials registered for the current user
Removes the biometric credential from the current user
Print current Keeper folder
Transfer record ownership to user
Enumerate all enterprise teams
Add a shared folder to KSM Application
list ignored breachwatch records
Removes the biometric credential from the current user
Install-Module -Name PowerCommanderPS> Get-ExecutionPolicy -List Scope ExecutionPolicy
----- ---------------
MachinePolicy Undefined
UserPolicy Undefined
Process Undefined
CurrentUser Undefined
LocalMachine UndefinedPS> Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUserPS>Register-KeeperBiometricCredential -PassThru
Biometric Credential Creation for Keeper
Please complete Windows Hello verification to create the credential...
Credential ID stored for user: <user>
Credential created successfully
Success! Biometric authentication "<user>" has been registered.
Please register your device using the "Set-KeeperDeviceSettings -Register" command to set biometric authentication as your default login method.
Name Value
---- -----
Username <user>
Timestamp 26-09-2025 08:01:08
DisplayName <user>
CredentialId ...W25xo-z_9QyWdti5CsQ
Success TrueAttempting keeper biometric authentication...
Verification completed successfully!PS > Set-KeeperDeviceSettings -RegisterPS > Connect-Keeper
Keeper Username: [email protected]
... Password:PS > kdir
Vault Folder: \
Mode UID Name
---- --- ----
f----- b3TMAYfOWJqNxeLjlA6v_g dasdasd
f----S BvHeHGkdRJfhGaRcI-J5Ww shared
-r-AO- 5qx_urh2EsrL0wBdi34nFw Web
-r---S ktY3jEBqwFDi9UYZSxmIpw ControlPS > kdir -ObjectType Record | Show-TwoFactorCodePS > kr|2faPS > 'contro' | kccPS > 'ktY3jEBqwFDi9UYZSxmIpw' | kccPS > kadd -Title 'Record for John Doe' -GeneratePassword [email protected] url=https://company.com 'User Name=John Doe' PS > kadd -RecordType login -Title 'Record for John Doe' -GeneratePassword [email protected] url=https://company.com 'User Name=John Doe' PS > $address = @{"street1" = "123 Main St."; "city" = "Neitherville"; "state" = "CA"; "zip" = "12345"}
PS > kadd -RecordType address -Title 'Home Address' -address $address phone.Home='(555)123-4567' name="Doe, John"PS > kadd -Uid <RECORD UID> -GeneratePassword PS > Get-KeeperChildItem -ObjectType Record | Move-RecordToFolder 'Shared Folder'PS > Get-KeeperEnterpriseUserPS> New-KeeperManagedCompany -Name "Company Name" -PlanId enterprisePlus -Allocated 5PS> switch-to-mc "Company Name"