Description

Keeper Security is aware of the recent security breach at Okta, where cybercriminals accessed client files through its support system. As part of its support process and system, Okta’s customers upload HTTP Archive (HAR) files which contain sensitive information from the user's web browser. This information included session tokens that were used to impersonate several Okta customers.

Impact to Keeper

Keeper Security does not use any of Okta’s products internally - for Single Sign-On (SSO) or any other purpose. Therefore, Keeper’s internal business operation was not impacted by the security incident at Okta.

Keeper is a zero-knowledge and zero-trust cybersecurity platform which means that all of the encryption of user data occurs on the user's device, and Keeper does not have the ability to access any customer data. Further, least-privilege, role-based access control and delegated administration permit and restrict access for all users in the system. Keeper's employees utilize the Keeper Enterprise platform for authenticating into websites and applications using strong and unique passwords generated by our software.

Keeper SSO Connect® is a powerful feature of the Keeper platform which provides customers with the ability to authenticate into their Keeper vaults using their preferred SAML 2.0 identity provider - both on-premises and in the cloud. Keeper SSO Connect, when properly configured with Okta SSO, provides enterprise-wide authentication and end-to-end encryption with zero-knowledge and zero-trust security.

For those customers who use Okta with Keeper SSO Connect for accessing their Keeper vaults, please implement the following best practices:

1. Enforce MFA on the Keeper vault in addition to enforcing MFA at Okta for all privileged users. Keeper is the only Enterprise Password Manager that provides an additional layer of MFA to reduce the risk associated with an identity provider takeover attack.

2. To prevent users from accessing their work vaults outside of approved locations and networks, administrators should activate IP Address Allowlisting. This is a role-based enforcement setting in the Keeper Admin Console which enforces that users can only access their vaults when their device is on an approved network. This should always be enforced for administrative roles.

3. Reduce administrator privilege for SSO-enabled accounts. If an administrator uses Okta to authenticate into the Keeper platform, reduce the role privilege so that their administrative responsibility is limited in scope to perform their role with the organization.

4. Ensure that at least one administrator is able to access the Keeper platform using a Master Password authentication method in case the SSO identity provider is unavailable.

5. Activate Keeper's event reporting and alerting system into your security operations. Keeper integrates into any popular SIEM solution including Splunk and Datadog. In the Keeper Admin Console, alerts can be configured to notify your security team covering over 200 different event types.

References

Blog Post Regarding IdP Takeover Attacks

https://www.keepersecurity.com/blog/2023/10/24/enforcing-least-privilege-mitigates-identity-provider-takeover-attacks/

Keeper Enterprise Security Recommendations

https://docs.keeper.io/enterprise-guide/recommended-security-settings

Keeper SSO Connect

https://docs.keeper.io/sso-connect-cloud/

Keeper's Security and Encryption Model

https://keepersecurity.com/security.html

If you have any questions please contact security@keepersecurity.com.

As new security advisories are published online for various systems, Keeper Security will post relevant information here.

NIST Link

https://nvd.nist.gov/vuln/detail/CVE-2023-44487

Description

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

Impact to Keeper

Keeper Security's application servers are protected by AWS Shield which defends against DDoS attacks, and Keeper is not vulnerable to this attack. More info is posted on Amazon's blog here.

If you have any questions, please email us at security@keepersecurity.com.

Description

A presentation at Black Hat EU 2023 discussed credential stealing on mobile password managers. Keeper was listed as an impacted application. Keeper has safeguards in place to protect against this issue as described below.

Keeper's Response

On May 31, 2022, Keeper received a report from the researcher about a potential vulnerability. We requested a video from the researcher to demonstrate the reported issue. Based upon our analysis, we determined the researcher had first installed a malicious application and subsequently, accepted a prompt by Keeper to force the association of the malicious application to a Keeper password record.

Keeper has safeguards in place to protect users against automatically filling credentials into an untrusted application or a site that was not explicitly authorized by the user. On the Android platform, Keeper prompts the user when attempting to autofill credentials into an Android application or website. The user is asked to confirm the association of the application to the Keeper password record prior to filling any information. On June 29, we informed the researcher of this information and also recommended that he submit his report to Google since it is specifically related to the Android platform.

Generally, a malicious Android application would first need to be submitted to Google Play Store, reviewed by Google and subsequently, approved for publication to the Google Play Store. The user would then need to install the malicious application from Google Play and transact with the application. Alternatively, the user would need to override important security settings on their device in order to sideload a malicious application.

Keeper always recommends that individuals be cautious and vigilant about the applications they install and should only install published Android applications from trusted app stores such as the Google Play Store.

Resources

A screenshot of Keeper's protection in place is displayed below. A user is prompted to trust the application from retrieving and filling the specified credentials. This security feature has been in place for several years and no additional updates are required.

This simple Android app demonstration can be viewed on Keeper's public Github repo: https://github.com/Keeper-Security/android_webview_autofill

To learn more about how to keep your smartphone safe, please visit: https://www.keepersecurity.com/blog/2022/10/13/how-to-keep-your-smart-phone-safe-and-personal/

If you have any questions, please email us at security@keepersecurity.com.

NIST Link

Description

Heap buffer overflow in WebP in Google Chrome prior to 116.0.5845.187 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical).

Impact to Keeper

If you have any questions, please email us at security@keepersecurity.com.

NIST Link

Description

Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Impact to Keeper

If you have any questions, please email us at security@keepersecurity.com.

NIST Link

Description

A researcher filed a CVE (CVE-2023-36266) in regards to the scanning of local memory when using Keeper Desktop and browser extension software.

Impact to Keeper

As with any software product, if an attacker controls the local computer, the attacker can perform any action the user or an application could perform. In the case of a password manager, if an attacker can read arbitrary memory, then an attacker can read decrypted contents of the password manager while the application is in use. This applies to any password management product. Security researchers understand that a fully compromised device scenario has severe implications for the user.

Keeper has multiple security mechanisms in-place to defend against compromised end-user devices. Keeper client software only decrypts the user's vault upon successful login, and only stores decrypted values during use in volatile memory. When a user is logged out or timed-out, decrypted values are removed from memory. In addition, the Keeper desktop application provides a setting in the "Security" screen which forces a full application restart upon auto-logout, to ensure that data is cleared upon locking. In the case of a web browser such as Chrome, Keeper requests the clearing of memory after logout, however the memory management of the underlying browser is outside of Keeper’s control and can sometimes take time for the memory management system to complete this operation.

With all end-user software, it's important to ensure that users reduce the risk of a compromised device by following security best practices, keeping all software up-to-date and installing adequate antivirus / malware protection software.

Keeper has stood by its commitment to protect your most valuable data for more than a decade, through our best-in-class Zero-Knowledge and Zero-Trust security model and transparent approach to sharing it with the public. For information regarding Keeper's security and encryption model, please visit:

If you have any questions, please email us at security@keepersecurity.com.

NIST Link

Description

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries).

Oracle link:

Impact to Keeper

Keeper Security is not impacted by this vulnerability. Keeper does not use Java runtimes that are affected, as reported by Oracle. Keeper also does not use the ECDSA implementation in the built-in Java library. Keeper uses BouncyCastle for ECDSA implementation, which is not impacted.

If you have any questions, please email us at security@keepersecurity.com.

NIST Link

Description

Bitwarden Windows desktop application versions prior to v2023.4.0 store biometric keys in Windows Credential Manager, accessible to other local unprivileged processes.

Impact to Keeper

Keeper is not impacted by this issue. To ensure that we were not impacted by a similar vulnerability, Keeper contracted a 3rd party penetration tester in July 2023 to validate our protection against this type of attack. The report PDF is posted below:

If you have any questions, please email us at security@keepersecurity.com.

View all latest updates

2024

2023

Just Released

Release History by Platform

New Content and Guides

Recent Product Milestones

FIPS 140-3 Validation

The Keeper Security Cryptographic Module is certified by the NIST Cryptographic Module Verification Program (CMVP) to meet the FIPS 140 standard under certificate #4976.

KeeperPAM: Privileged Access Manager

Achieve visibility, security, access control and compliance across your entire organization.

Risk Management Dashboard

Comprehensive security posture information covering end-user deployment, utilization, cloud configuration, and event monitoring.

Passphrase Generator, Password and Passphrase Policies

Enhanced policy enforcements for password and passphrase generation.

Granular Sharing Policies

Enhanced policy enforcements related to record and folder sharing.

Time-Limited Access

Provide time-based access to any resource in Keeper.

Self-Destructing One-Time Shares

Simplify employee onboarding and external data management with self-destructing shares.

Automated Password Rotation

Securely and automatically rotate credentials across cloud-based and on-premises environments.

Share Admin

Provide additional privilege to admins who manage shared data.

FedRAMP Authorization

Keeper is the industry's first FedRAMP and StateRAMP Authorized solution.

One-Time Share

Share records securely to non-Keeper users

Keeper Connection Manager

Instantly access your infrastructure with zero-trust security.

Compliance Reports

On-demand visibility to access permissions on records and credentials in your enterprise.

Keeper Secrets Manager

Manage and protect your cloud infrastructure with zero-trust and zero-knowledge security.

Record Types

Structured template that can contain any type of information such as logins, payment cards, bank accounts, and many more.

Keeper Automator

Automated encryption operations and end-user approvals for SSO Cloud deployments.

Slack Channel

Please join Keeper's Slack Channel by requesting access from feedback@keepersecurity.com or contact your Keeper customer success representative.

Statuspage

Reddit

Post public questions on our Reddit community page

Need Help?

If you require assistance, please open a ticket:

Enterprise customers please select "Business" or "MSP"

If this is an urgent issue, click on the "This is an emergency..." checkbox

System Status

User Guides

Searchable FAQs

Cannot convert undefined or null to object

If you get this error, please click the "Full Sync" option from the vault along the bottom.

SSO Login not working

Typically, this means you need to update your SAML signing certificate. Follow the guide below for step by step instructions:

Email Invites not sending custom template

Ubuntu Linux GPG Key Renewed

We've also submitted this latest GPG public key to the keyserver.ubuntu.com keyserver.

Customers can pull down the latest key by running the below command and then retrying:

Samsung Autofill Selection Not Showing

Some customers are unable to select Keeper from the Samsung provider list when activating KeeperFill.

If Keeper does not show up, please open your device settings and search for "Passwords" then select Keeper under "Passwords, passkeys and autofill".

iOS Stuck on Syncing

If you are seeing syncing stuck on the screen, please check the following:

• Update to the latest version of Keeper on the App Store

• Instead of logging in with biometrics, try to login with your Master Password (clicking "Next")

• After a successful login, visit the settings screen of Keeper and turn OFF/ON the Face ID or Touch ID setting.

I'm being asked for a PIN with my FIDO2 Security Key

We will add a feature soon to allow consumers to decide whether or not user verification is required. This will be added to Vault version 16.10.4.

For our business customers, we're planning a role enforcement feature that requires user verification (by setting userVerification response to "required"). Until then, the system will respond based on your device setup.

Getting a 403 Error or Unable to Load Website

If you are unable to access Keeper's website or Vault from your device with a "403 error", your IP address is being blocked. Keeper automatically blocks IP Addresses that have a "low reputation score". This list of IPs is maintained by a dedicated threat research team at Amazon AWS, and as such we do not have visibility into exact reasons why an IP is placed on this list. To resolve the issue:

• Your external IP address will be provided on the screen.

• Business customers who need a range of IPs to be unblocked can provide a CIDR.

Upgrade to the latest version

Do a Full Sync

From the mobile apps, go to the Account screen > Sync > Sync Now. This performs a "full sync" of all the data and ensures that anything missed in the normal sync process is caught. The latest Web Vault and Desktop App also have a "Sync" feature along the bottom of the screen.

Install any pending browser updates

Browser extensions generally stop working properly if an update is pending or the browser is out of date, even by one version. Make sure to update your web browser to the latest version and then fully restart your web browser.

Clear Cache / Reset the Vault

Clear cache on your web browser or open Incognito Mode to try and login. If this works, you should just reset your Keeper app by visiting the Web Vault on your respective data center:

By appending #reset on the end will force Keeper to clear local data. Refresh the page a few times and this should clear things out.

Make sure only one extension is installed

Ensure only ONE Keeper browser extension is installed. Having two installed causes many issues. Visit Window > Extensions and check your extensions. Don't use multiple password managers at the same time.

Check for Cache Settings

Ensure that "clear site data when you quit Chrome" is disabled. This can cause errors and vault decryption issues.

Check for conflicting Antivirus, Popup Blockers, other Browser Extensions

This is a very common issue with our users. Keeper's advanced security protection and encryption prevents inspection of traffic, otherwise known as "man-in-the-middle". This can sometimes conflict with antivirus, popup blockers and web filtering apps. Make sure to try turning OFF these 3rd party plugins or applications to see if they are causing any conflict with Keeper.

Don't block Cookies

Many websites (including Keeper's browser tools) won't function correctly if you block cookies, block Javascript, block local storage or have any extreme browser privacy settings that prevent our product from running. Please try to set your browser to default settings and see if that resolves the issue you're experiencing.

Check your system clock

If you are experiencing an issue where the Two-Factor (TOTP) codes are different between your mobile and desktop devices, this is usually caused by the time difference between your devices. Ensure that your device time and date is set to "Automatic". If the times are different by even a few seconds, this will cause different codes to appear on different devices.

Face ID or Touch ID Stopped Working

If biometrics such as Face ID / Touch ID stops working, simply login to Keeper with your Master Password (or SSO), then visit the Settings screen and turn biometric login OFF and ON. This should resolve any biometric login issues.

Forgot Master Password?

Consumers: Keeper employees do not have access to your Master Password or Recovery Phrase, and we cannot reset it for you. If you have forgotten your Master Password, please try using our Account Recovery feature by visiting the "Need Help" > "Forgot Master Password" option on the Keeper login screen.

Without your Master Password or recovery phrase, your records cannot be decrypted. If you don't have recovery setup for the Keeper account at all, unfortunately account recovery will not be possible.

If you have tried all possible Master Password and Account Recovery options and are still unable to login to Keeper, we can delete your account so that you can start over. Please contact the support team for assistance.

A very common issue when a user is unable to login, is that people could have multiple Keeper accounts (perhaps from different email addresses), or maybe a typo in your email address. If you think that's a possibility, please contact our support team and we will assist you.

Business Customers: If you have tried all possible Master Password options and are still unable to login to Keeper, you will need to contact one of your Keeper Administrators within your company to have them either transfer your account to a new vault so that you do not lose any data. Or, request your Admin to delete your profile and re-invite you which will allow you to start over with a new master password. If you are using SSO for login, they can assist you in recovering your account with the SSO provider.

If you would like to change your existing Master Password from the Web Vault & Desktop App, from the account dropdown menu (your email ) select Settings and next to "Master Password" click Reset Now. You will then be prompted to enter your current Master Password Password and create and confirm a new Master Password.

To change your Master Password on iOS and Android devices, within your vault, navigate to the Settings menu, scroll down and tap Reset Master Password (on iOS) or RESET NOW (on Android). You will then be prompted to enter your Current Master Password Password and create and confirm a new Master Password.

2FA Issues (Lost phone or Authenticator)

Consumers: If you changed phones or do not have access to your two-factor authentication device, please contact Keeper support and we will assist you in resetting your Two-Factor Authentication settings. For individual and family users, please open a consumer support ticket and we will assist you.

Business Customers: Please contact the Keeper Administrator at your company. Your Keeper Admin can disable your 2FA. For Keeper Administrators, please open a business support ticket and we will assist you.

How to Stay Logged In Longer

Account Recovery Phrase Setup

Upon initial vault login, new users will be prompted to set up Account Recovery. Click Generate Recovery Phrase to begin.

Once your recovery phrase has been generated, be sure to store it in a safe place. For added convenience, you will be given the option to copy or download it. Check the box to acknowledge you have stored it in a safe place and click Set Recovery Phrase to complete the setup.

Forgotten Master Password & Account Recovery

After their initial login, users are asked if they would like to set up Account Recovery using an account recovery phrase. This is especially important if you forget your Master Password during the account recovery process which is based upon an account recovery phrase, backup verification code (sent via email) and Two-Factor Authentication code (if enabled).

Users who have signed into Keeper after August 2015, will automatically have Account Recovery enabled. To initiate Account Recovery, simply open Keeper through the Web Vault, iOS, Android or Desktop app and from the login screen, click/tap Forgot Password. Keeper will then walk you through a few steps to change your Master Password and recover your account. These steps will include a series of prompts requesting the following actions:

• Enter your email address to initiate the account recovery process

• Enter a backup verification code

• Enter your account recovery phrase

• Enter your Two-Factor Verification code (if enabled)

• Enter a new Master Password

Platform-specific Troubleshooting Guides

Downloads

User Guides

iOS Stuck on Syncing

If you are seeing syncing stuck on the screen, please check the following:

• Update to the latest version of Keeper on the App Store

• Instead of logging in with biometrics, try to login with your Master Password (clicking "Next")

• After a successful login, visit the settings screen of Keeper and turn OFF/ON the Face ID or Touch ID setting.

Syncing, Updates and Device Approvals

If adding a password on your desktop doesn't automatically sync down your mobile device, ensure that push notifications are enabled.

iOS and Android apps use push notifications for functionality such as:

• Realtime sync

• Device approvals

• Sharing notifications

Please ensure that push notifications are enabled on your device. Also, "Do Not Disturb" mode will prevent certain notifications from appearing. Device approvals will not be received if you have iOS in Do Not Disturb mode.

Other iOS Issues

Having issues on iOS? You may need to simply clear the cache on your device and reset the app settings. But before you do that, please make sure your data is fully available on the Keeper Web Vault or Desktop App.

• On the front door of the Keeper app, tap on "Need Help?" then tap Reset Keeper.

• Launch Keeper and Login to your account.

• You will be asked to approve the device during the login process.

Feature Requests

We love hearing from iOS customers. Send your feature requests to: feedback@keepersecurity.com.

Beta Slack Channel

Downloads

User Guides

Firefox Plug-in Changes

Safari Extension Changes

If you are unable to login to the KeeperFill Safari extension, a reset of the extension may be required. To reset your KeeperFill Safari extension, follow the below steps:

• Open Safari and select Safari > Settings

• From the Keeper extension, select Settings

• Click on "Clear All Storage"

• Restart Safari

Experiencing Autofill issues

If you are having issues with Autofill, please make sure you check the below:

• Make sure you only have ONE version of Keeper browser extension installed and active.

• Don't have multiple password managers installed, such as LastPass and Keeper at the same time. This is known to cause conflicts and bugs when filling sites.

• Make sure to turn off your browser's password manager.

• Install any pending browser updates. Pending browser updates cause issues with browser plugins.

• Ensure that "on all sites" is selected in your browser settings under Window > Extensions > Keeper Details screen under "Site access".

• Send any site-specific Autofill issues to feedback@keepersecurity.com and we'll fix it.

How to disable KeeperFill on specific sites

Enterprise customers can disable KeeperFill on sites across the organization. Please be sure to add the site's website address to the KeeperFill enforcement policy for the role in which you reside.

Additional Help

Feature Requests

We love hearing from customers. Send your feature requests to: feedback@keepersecurity.com.

Beta Slack Channel

Enterprise Guide

License expired and need to to renew your subscription?

User Status Report with invalid Last Login date

SSO Login: Unable to parse the SAML Response from the IDP

Typically, this means you need to update your SAML signing certificate. Follow the guide below for step by step instructions:

General SCIM Provisioning Issues with Teams and Users

• Ensure that you have assigned users or groups to the correct SAML application in your IdP

• When you invite a user from the identity provider or assign a user into a group that has been provisioned, the IdP will send the request to Keeper to either invite a user to join, or to add a user to a team, or to create a team.

• If the user does not exist yet in Keeper, they will receive an invite to sign up (or they can use just-in-time provisioning)

• After the user has created their Keeper account, the user will not yet be assigned into a Keeper team until one of a few things happen: (a) Admin logs into the Admin Console > Click on "Full Sync" from the Admin screen (b) A user from the relevant team logs into the Web Vault or Desktop App (c) Admin runs team-approve from Keeper Commander The reason that teams and users can't be created instantly via SCIM, is due to the encryption model and the need to share a private key between users. Sharing an encryption key (e.g. Team Key) can only be performed by a user who is logged in, and has access to the necessary private keys.

SCIM Team User Assignment Delays

In Keeper, a team that is provisioned must generate the necessary public/private encryption key pair for that team. Similarly, when a user is assigned to a team, the team private key is encrypted with the public key of the user. This way, a user who is assigned team folders in the Keeper vault is able to decrypt the necessary folder keys and record keys. Since Keeper is a zero knowledge platform, this transaction must occur from one of the authenticated client device applications, such as the Admin Console, Vault, Commander CLI or Automator tools.

When a team or a team-user assignment is provisioned through SCIM, the team creation and the user team assignment goes into a "pending queue". This queue is then processed by the authenticated client side application that either creates the necessary team keys and shares the private keys with the intended users.

Currently, team creation and team-user assignment occurs when:

• The Admin logs in to the Keeper Admin Console UI

If you need to quickly clear out your pending Team and Team-User assignments, please run the following steps on a periodic basis:

• Login to Keeper Commander using keeper shell

• Run the following commands:

Enterprise SSO Users unable to login

For security reasons, Keeper will prevent Enterprise users outside of an SSO node from logging in with a federated identity provider. If you have users unable to login with SSO, please ensure that the user is provisioned to the node within the Keeper Admin Console to the SSO-enabled node. To move a user into an SSO node, edit the user and select the node from the drop-down.

Users Not Receiving Email Invites

Enterprise End-User's Email Changed

If your user's email has changed in your identity provider, you can simply add an alias to the user's identity in Keeper. This can be accomplished using the enterprise-user command. For example:

Enterprise Domain is Changing or has Changed

SSO Users asked for Master Password

If you have an SSO user being asked to enter a Master Password:

• Ensure that the user has been provisioned to an SSO-enabled node

• Ensure that the user is logging in from the correct data center (US, EU, AU, JP, CA, GOV)

User Prompted for Device Approval

• Users can approve their additional devices by using a previously approved device. For example, if you are logged into your web vault on your computer already, and logging into your phone app for the first time, you will get a device approval prompt on your web vault with the mobile device's information which you can approve or deny.

• Keeper SSO Connect Cloud™ provides Zero-Knowledge encryption while retaining a seamless login experience with any SAML 2.0 identity provider.

• When a user attempts to login on a device that has never been used prior, an Elliptic Curve private/public key pair is generated on the new device. After the user authenticates successfully from their identity provider, a key exchange must take place in order for the user to decrypt the vault on their new device. We call this "Device Approval".

• Using Guest, Private or Incognito mode browser modes or clearing the browsers cache will identify itself to keeper as a new device each time it is launched, and therefore will require a new device approval.

To preserve Zero Knowledge and ensure that Keeper's servers do not have access to any encryption keys, we developed a Push-based approval system that can be performed by the user or the designated Administrator. Keeper also allows customers to host a service which performs the device approvals and key exchange automatically, without any user interaction.

When logging into a new or unrecognized device, the user has two options:

• Keeper Push (using their own devices)

• Admin Approval (request administrator approval)

Questions about Cost of Deploying Automator

Delays in Login and Device Approval

If logging into a new device takes 20-30 seconds to complete, this could be caused by your Keeper Automator service being misconfigured or inaccessible by the Keeper servers. Please disable the Keeper Automator in your environment using the "automator disable" command.

Automator Fails after Instance Reboot (when using Azure App Gateway)

After an unexpected reboot of the container instance in Azure the container can sometimes come back up with a new IP address (e.g. x.x.0.5 even when the App Gateway had originally been provisioned with an IP of x.x.0.4 in the backend pool). Updating the IP of the container in the backend pool resolves this issue.

• In the Azure cloud shell, retrieve the current IP: az container show --name keeperautomatorcontainer --resource-group keeper_automator_rg --query ipAddress.ip --output tsv

• In Azure portal select Resource groups > $your_resource_group > your Application Gateway > Backend pools > change Target IP to the new one from above.

SSO Cloud Certificate Update

SSO Connect On-Prem Certificate

Commander scripting or coding questions

Secrets Manager

Keeper Connection Manager

Contact Us

If you need a phone call or Zoom call, just request this from the team and we will schedule it during business hours. Please be patient as we coordinate the call.

Emergency Support

Feature Requests

We love hearing from Enterprise customers. Send your feature requests to: feedback@keepersecurity.com.

Beta Slack Channel

Downloads

User Guides

Syncing Errors

If you are receiving an error on your mobile app, please make sure to update to the latest version. After you update, we recommend performing a Full Sync by clicking on Sync > Sync Now. This tends to resolve any searching or record-related issues.

Syncing, Updates and Device Approvals

If adding a password on your desktop doesn't automatically sync down your Android device, ensure that push notifications are enabled.

Android apps use push notifications for functionality such as:

• Realtime sync

• Device approvals

• Sharing notifications

Please ensure that push notifications are enabled on your device. Also, "Do Not Disturb" mode will prevent certain notifications from appearing.

Other Android Issues

Having issues on iOS or Android? You may need to simply clear the cache on your device and reset the app settings. But before you do that, please make sure your data is fully available on the Keeper Web Vault or Desktop App.

• Go to your device Settings icon, and then tap on the Applications menu. Scroll down until you see the Keeper icon and tap on it. Click on the Clear Data button, and then click OK. The next time you load Keeper, it will be reset to its original settings. Another way is to press-and-hold on the Keeper icon, then open the application info and clear the data.

• Re-install Keeper from Google Play on your device

• Launch Keeper and Login to your account. You will be asked to approve the device during the login process.

Feature Requests

We love hearing from Android customers. Send your feature requests to: feedback@keepersecurity.com.

Beta Slack Channel

Enhancements

• VAUL-6349: Updated the Security Audit tab in Vault to ensure the overall Security Audit score matches the per-user score in the Admin Console, reducing confusion.

Other Updates

• KDE-1534: Updated new installs to default to the native browser for SSO authentication instead of the app browser.

• VAUL-7176: Fixed an issue where setting up a hardware security key required extra steps; the Vault now prioritizes it using the “hints” syntax.

• VAUL-7262: PAM Updated router calls to use the /api/user path for commands.

Bug Fixes

• KDE-1607, 1606, 1608, and 1619: The SSH Agent will scan General typed records for private key file attachments

• KDE-1611: Fixed an issue where selecting Two-Factor Authentication triggered the Offline Access dialog.

• VAUL-7094: Fixed an issue preventing master password login when session resumption and 2FA were enabled

• VAUL-6787: Fixed an issue where the folder structure in Delete Items did not match the folder structure in Vault.

• VAUL-6394: Fixed an issue where the Web Vault allowed uploads past the storage limit; users are now blocked when the limit is reached.

• VAUL-6090: Fixed an issue where shortcut-linked records were not retained in shared folders after CSV export/import, preventing data loss.

• VAUL-5989: Fixed an issue where the password font displayed incorrectly when Japanese was selected on Windows 10/11.

• VAUL-6902: Fixed an issue where restoring a file attachment record caused repeated error messages and made attachments inaccessible in the Web Vault.

• VAUL-7095: Fixed an issue where creating a new record with a file attachment showed an empty record state instead of the record details.

• VAUL-7104: Fixed an issue where switching to Suomi/Svenska caused a Content Security Policy error in Stack.

• VAUL-7102: Fixed an issue where importing from Proton Pass did not include login details.

• VAUL-7109: Fixed an issue where "Share only in SF allowed" displayed the wrong modal in OTS.

• VAUL-6826: Fixed an issue where V3 records generated an error when viewing or downloading attachments.

• VAUL-7155: Fixed an issue where sharing a record to an account with an invalid email format failed silently instead of displaying an error message.

• VAUL-7101: Fixed an issue where expired business admins were not redirected to checkout and received the wrong message.

• VAUL-7184: Fixed an issue where failed invite attempts incorrectly showed a success message instead of an error.

• VAUL-7216: Fixed an issue where Firefox always assumed a security key was inserted for 2FA, preventing access to alternative methods; a modal now informs the user.

• VAUL-7219: PAM: Fixed an issue where the Gateway button was not visible despite the appropriate permissions being enabled.

• VAUL-7264: Fixed an issue where the Save & Share button remained disabled after validation.

• VAUL-7268: Fixed an issue where the Add button in the Shared Folder Share tab was enabled before entering an email.

• VAUL-7300, 7306, 7303, 7310, 7315, 7313, 7314, 7316, 7317, and 7321: Fixed several Security Audit bugs.

When a major release is planned, Keeper publishes a Preview version of the Vault and Desktop app, documented below. The pre-release version is typically published 1 week before public release.

Web Vault Preview

• US: https://keepersecurity.com/vault/preview

• EU: https://keepersecurity.eu/vault/preview

• AU: https://keepersecurity.com.au/vault/preview

• CA: https://keepersecurity.ca/vault/preview

• JP: https://keepersecurity.jp/vault/preview

• US_GOV: (No US Gov preview available for Web Vault)

Desktop App Preview

• Mac (.dmg) - Download

• Mac (.pkg) - Download

• Windows (.appx) - Download

• Windows (.msix) - Download

• Windows (.msi) - Download

• Linux (.rpm) - Download

• Linux (.deb) - Download

Enhancements

• VAUL-6966: Updated the vault login screen animations to stop after 30 seconds

• VAUL-6606: Updated the remaining router API endpoints to enhance performance and security.

• VAUL-6785: Adjusted the location of the visibility "eyeball" icon for long passwords, ensuring consistent UI across all record views.

• VAUL-6821: Introduced a new dialog that users are required to accept when being invited to a managed enterprise. Letting users know the enterprise administrator has the ability to manage their vault in accordance with company policies.

• VAUL-6866: Updated URL handling to restrict it to standard HTTP/HTTPS protocols, improving security and validation.

• VAUL-6869: Updated the title and meta description of the settings page to enhance SEO and search engine visibility.

Bug Fixes

• VAUL-5853: Addressed formatting inconsistencies within custom record types for Security Q&A fields.

• VAUL-5898:Fixed an issue where using the search and location filter together resulted in invalid or unexpected search results.

• VAUL-6051: Fixed an issue where the UI adjusted incorrectly after closing an error message generated by an invalid value in the native app filler.

• VAUL-6247: Fixed a bug where the "Success" message was missing after successfully removing users from shared records.

• VAUL-6312: Resolved a security issue where creating a duplicate record allowed shared users to access the full history, including previous sensitive information.

• VAUL-6385: Updated privacy screen for Teams / Owners, ensuring compliance with privacy requirements.

• VAUL-6403: Fixed an issue where users with role-based enforcements preventing record creation in shared folders were not receiving feedback when using "Create Duplicate" on a V2 General record.

• VAUL-6424: Fixed visual artifacts in the left navigation bar that appeared as unexpected white pixels.

• VAUL-6598: Fixed an issue where dropdown menus opened via the enter key couldn't be navigated using arrow or tab keys, improving screen reader accessibility.

• VAUL-6599: Resolved an issue where users needed to press the arrow key twice to focus on both icons and text when navigating the "Create New" menu or filter dropdowns via the Enter key.

• VAUL-6609: Addressed an issue where attachments in the detail pane of V3 shared records were not being displayed properly after edit or sync.

• VAUL-6652: Resolved UI issue where the PAM script model was cut off, improving the user experience.

• VAUL-6806: Fixed an issue where security data updates were not occurring as expected, improving data reliability.

• VAUL-6827: Resolved an issue where extra white space appeared in custom fields, improving layout consistency.

• VAUL-6839: Addressed issues related to missing or bad security data being propagated in certain scenarios.

• VAUL-6865: Removed the deprecated asmcrypto.js dependency, improving app performance and security.

• VAUL-6882: Fixed a password complexity error that occurred during save, when using the password rotation setting in certain scenarios.

• VAUL-6912: Resolved overlapping text issues on Mac/Chrome browsers when displaying tabs.

• VAUL-6964: Fixed an issue where the logout timer enforcement was not working as intended.

• VAUL-6967: Applied updates to sync timeline, loading vault records and then updating BreachWatch & Security Audit scores.

Enhancements

• KDE-1400: RSA to EC Security Updates

• VAUL-6152: RSA to EC Security Updates

• VAUL-7031: We've fixed an issue where copied backup codes contained spaces, causing them to be invalid. Backup codes are now copied without spaces.

• VAUL-7029: The "Add Device" and "Provision Gateway" options are now only visible in View mode, not Edit mode.

• KDE-1415: We've fixed an issue where incorrect OS keys were displayed in shortcut definitions.

• KDE-1245: All alert models have been updated to follow the new design guidelines.

• KDE-1240: We've fixed an issue where an incorrect error message was displayed when moving subfolders between shared folders.

• KDE-1547: We've fixed an issue where copied backup codes contained spaces, causing them to be invalid.

Other Updates

• VAUL-6899: Updated linked personal accounts to indicate the family admin, helping users identify the correct account to log into for managing members.

• VAUL-6590: We have allowed offline login with all 2FA durations as a separate setting in the app.

• VAUL-7061: We removed legacy bundle support to improve build efficiency.

• VAUL-7064: We updated the grid view icon.

• KDE-1529: We updated the Windows desktop build to support Visual Studio 2022 and target it in the GitHub Actions workflow.

• KDE-1532: Upgrade Electron framework to version 32.1.0 31.7.2 33.2.0.

• KDE-1488: We've enabled context isolation security for the desktop vault/tray renderers.

• KDE-1546: We've fixed an issue preventing Windows desktop builds from completing in GitHub Actions

• KDE-1548: We've added a new setting to allow offline logins with all 2FA durations.

• KDE-1550: We've fixed an issue with upload job caching by adding the Cache-Control: no-cache header.

• KDE-1558: We've updated the Windows Credential Locker, Windows Hello, and App Model features.

• KDE-1536: We fixed a recent Keeper outage caused by NGINX overload.

Bug Fixes

• VAUL-6437: Fixed an issue where custom templates with numeric names (without periods) appeared at the top of the list instead of under the "Custom Template" section.

• VAUL-6275: Fixed an issue ensuring that Record Type Sorting aligns with the modified list.

• VAUL-6889: The user gets a clear error message when the share request fails.

• VAUL-6908: Prevented users restricted from sharing or receiving from creating shared folders.

• VAUL-5874: Removed the period from the title on the empty Vault Splash Page.

• VAUL-5958, VAUL-5959: Implemented functionality improvements for My Vault, Record view, and Security Audit page, addressing customer expectations for dark mode, though some visual inconsistencies and color contrast requirements

• VAUL-6760: Fixed an issue where the Country field displayed incorrect or empty values when switching between Address records.

• VAUL-5702: Changing the default field type now updates the label accordingly.

• VAUL-6438: Standard records now appear in the top section and custom record types in the bottom section, each sorted independently with numerical first, followed by alphabetical.

• VAUL-6436: Resolved an issue where the letter 'g' was cut off in custom templates.

• VAUL-6758: Fixed an issue where the default password complexity wasn't saved during the initial rotation setup.

• VAUL-6972: Fixed an issue where restored records did not update security scores until the user logged out and back in.

• VAUL-5949: Fixed an issue where the Save button in Secrets Manager remained disabled after deleting a Gateway.

• VAUL-5862: Fixed an issue preventing users from deleting a Gateway in Secrets Manager if multiple Gateways existed.

• VAUL-5847: Fixed an issue where the sort header within the Secrets Manager did not reflect the selected sort option.

• VAUL-6635: Fixed an issue where the tooltip did not describe the cron format, adding an explanation and examples for proper usage.

• VAUL-6988: Fixed the update with the Login Buttons

• VAUL-6983: Fixed an issue that restricted Unlimited, FP, and Trial users from accessing offline mode via the login page.

• VAUL-6941: Fixed an issue where unreferenced records weren't deleted during sync down.

• VAUL-6911: Fixed an issue where removing a record link deleted the linked record despite other existing references.

• VAUL-6961: Resolved an issue where removing direct access to an owned record unintentionally removed ownership.

• VAUL-6990: We've resolved an issue where uploading a file larger than 100MB would block the upload of other selected files.

• VAUL-6977: We fixed the 'Internal Error' issue during offline logins.

• VAUL-6995: We fixed the issues where discard changes are generated twice.

• VAUL-6998: We fixed an issue where gateways were displayed randomly. They are now sorted numerically and alphabetically.

• VAUL-6947: We've resolved an issue where records were unintentionally removed from shared folders during the sync-down process.

• VAUL-7012: We fixed an issue with incorrect toast messages when trying to create duplicates without permission.

• VAUL-6881: We've fixed an issue where breach watch results were only sometimes being returned when expected.

• VAUL-6534: We've resolved an issue causing "bad request" errors during security data updates specifically for the vault client.

• VAUL-6962: We've resolved an issue where records created in the BE weren't appearing in the BW.

• VAUL-7019: We have fixed the issue with the secrets manager not showing up in SF/Records

• VAUL-6750: Vault now uses the encrypted session token returned by accept_enterprise_invite instead of the previous session token.

• VAUL-7025: We've fixed an issue where records with the password "hasOwnProperty" were causing various client crashes.

• VAUL-7018: We fixed an issue where selecting "all" in an empty shared folder incorrectly showed "1 selected." Now, it correctly shows "0 selected" and unselecting the box removes the message.

• VAUL-7036: We've fixed an issue where the Grid View Record Context Menu button was incorrectly positioned when focused.

• VAUL-7039: We fixed an issue where the file_attachment_uploaded audit event was incorrectly triggered for file removals.

• VAUL-7045: We've fixed an issue where vertical dividers were missing from the Security Audit.

• VAUL-7053: We've fixed an issue where the UI didn't display throttle messages when entering incorrect passwords multiple times in offline mode.

• VAUL-7059: We've fixed an issue where the cursor focus was incorrect after entering a password in the MP entry modal.

• VAUL-7060: We've fixed an issue where the Offline Duration Setting required a browser refresh to take effect.

• VAUL-7050: We've fixed an issue preventing MSPs from logging in offline.

• VAUL-7058: We've fixed an issue where Free Trial users without a BW subscription encountered a "bad request" error when scanning records with strong passwords.

• VAUL-7057: We've fixed an issue where the last scan date was incorrectly displayed as "N/A" in BW.

• VAUL-7065: ​​We've fixed an issue causing incorrect font display on the web vault.

• VAUL-7068: We resolved an issue where the "Work Offline" button was incorrectly displayed for users without offline access, even after clearing the browser cache or logging out

• VAUL-7076: We've fixed an issue causing the error "No key for encryption of security data" in Vault.

• VAUL-7074: Sharing invitations can now be sent without errors.

• VAUL-7080: We've fixed an issue preventing update_security_data from working on ECC-only enterprises.

• VAUL-7079: We've fixed an issue causing several missing key warnings.

• KDE-1346: We've fixed an issue with misaligned edit icons for KFFA hotkeys.

• KDE-1423: We've fixed an issue where the Topsite list wasn't narrowing correctly as users typed in the title field

• KDE-1428: We've fixed an issue preventing users from moving owned records into shared folders.

• KDE-1500: We've fixed an issue where incorrect notifications were displayed for oversized file uploads

• KDE-1048: We've fixed an issue where the Region Selector was cut off at the bottom in KFFA.

• KDE-1538: We've fixed an issue where resetting Keeper from the Help Menu didn't clear the desktop app cache

• KDE-1539: We've fixed an issue with the localization of the access expiration banner.

• KDE-1544: We've fixed an issue preventing password re-entry in KFFA.

• KDE-1545: We've fixed an issue where the offline edit indicator persisted after reconnecting to the server and logging.

• KDE-1540: We've fixed an issue preventing users from downloading large file attachments, which caused the app to stall

• KDE-1549: We've fixed an issue preventing Direct Import from LastPass due to a JavaScript error.

• KDE-1551: We've fixed an issue preventing the import of simple phone data from LastPass for non-address records.

• KDE-1552: We've fixed an issue that prevented new Enterprise Admin accounts from using a fresh install of KDE.

• KDE-1478: We've fixed an issue where the "Securely Upload to My Vault" option did not clear after a drag-and-drop operation.

• KDE-1553: We updated the macOS build environment from macOS 12 to macOS 13 in the build-desktop-vault.yml workflow.

• KDE-1556: We updated the download links for the desktop app to point to the new CloudFront distribution.

• KDE-1559: Fixed QA download page: now shows versions and directs users to the latest build.

• KDE-1565: We've fixed an issue preventing KSM device configurations from being generated.

Downloads

All Keeper Desktop apps are available at the Keeper download page.

User Guides

Web Vault and Desktop App user guides are located here.

Keeper Import Error

If you receive an "Unexpected Error" or "Unable to connect" when performing an import using the Keeper Import tool, this is typically due to a conflict with installed Antivirus or Proxy software. If this happens for you, please try importing by installing the Keeper Desktop application instead.

If you are an Enterprise Admin and you have control over the end-user firewall settings, please make sure that the user's desktop applications can communicate with Keeper Security's endpoints (e.g. keepersecurity.com, keepersecurity.eu, keepersecurity.ca, keepersecurity.jp, keepersecurity.com.au or govcloud.keepersecurity.us depending on the region).

Web Vault Login Issues

If you are experiencing issues with logging in, you may need to simply clear the Keeper cache on your browser. Here's the steps:

Chrome:

• Open the Web Vault

• Click on "View" > "Developer" > "Developer Tools"

• Click on the "Application" tab > "Clear Storage" > then click on “clear site data”

Edge:

• Clear Browsing data (Browsing history, Download History, Cookies and other Site Data, Cached Images and Files, Hosted App Data).

Firefox:

• On Privacy & Security page > Clear Data, (Cookies and Site data, Cached Web Content)

Safari:

• Go to Preferences > Advanced > select checkbox "Show Develop menu in menu bar"

• Then select "Develop" > Empty Caches

• Select "Safari" menu then "Clear History" and select All Time

Installation error 0x8007000D on Microsoft Store

If you receive this error when updating or installing the Desktop App on Windows, follow the below instructions.

1. Browse to "C:\Windows\SoftwareDistribution\Download" and delete the contents of the folder.

2. Press Windows key + X > Click Command Prompt (Admin) then type "wuauclt.exe /updatenow". Hit <enter>.

3. Open Control Panel > Windows Update and Windows 10 should begin downloading..

Press Windows key + X

Click Command Prompt (Admin)

Type in at the prompt OR Copy and Paste these one at a time : (Hit enter after each) Dism /Online /Cleanup-Image /CheckHealth Dism /Online /Cleanup-Image /ScanHealth Dism /Online /Cleanup-Image /RestoreHealth

also, run the Windows update Troubleshooter and check if it helps:

1. Press “Windows + X” and select Control panel.

2. In the search box, type troubleshooter, and then click Troubleshooting.

3. Under System and Security, click Fix problems with Windows Updates.

Keychain Password Import

The Mac Store version of the Keeper application does not support iCloud Keychain password import due to Apple's review process. However, the solution is to install Keeper Desktop directly from our download page.

Feature Requests

We love hearing from customers. Send your feature requests to: feedback@keepersecurity.com.

Beta Slack Channel

Join our Beta Slack Channel to post questions, feedback or receive new beta versions.

Enhancements:

• VAUL-6715: Improved KeeperFill Installation Prompt: The installation prompt for KeeperFill has been enhanced to offer a better user experience.

• VAUL-6716, VAUL-6789: Enhanced Import Functionality: When importing data from Keepass KDBX files, TOTP fields will now be correctly recognized and imported as Keeper TOTP fields, ensuring better accuracy and usability.

• VAUL-6748: Password Complexity and Generation: Password complexity rules can now be applied independently without generating a new password, offering more flexibility in managing your passwords.

• VAUL-6792: Better Folder Selection: We've improved the folder location selection in the new shared folder modal for a more intuitive experience.

• VAUL-4959: Updated Referral Program: Our referral program has been enhanced with updated incentives to encourage more users to invite friends.

• VAUL-6807: Password Policy Enforcement: The minimum password length is now set to 8 characters, with a maximum of 99 characters. Client applications will enforce this minimum length but allow users to increase it through their settings.

• VAUL-6798: Feature Promotion: New features such as RBI and KSM are now more visible to users for better awareness.

Bug Fixes:

• VAUL-6788: UID Generation: We've updated the UID generation logic to prevent creating UIDs that start with a dash.

• VAUL-6746: Firefox Compatibility: Fixed an error occurring in Firefox related to unsupported table versions.

• VAUL-6805: Privacy Screen: Resolved an issue where the privacy screen disabled URL edits for non-enforced URLs in shared records.

• VAUL-6784: Sharing Screen: Corrected the sorting order of items in the sharing screen for better usability.

• VAUL-6794: Account Registration: Addressed an issue where credentials were not properly handled when switching between login and account registration screens.

• VAUL-6819: Banner Display: Updated the banner display and support tool to match rounding requirements for better accuracy (e.g. number of days left in trial).

• VAUL-6786: Shared Folder Management: Fixed an issue where deleting a V2 record from a shared folder caused the folder to appear incorrectly. The record will now appear correctly.

• VAUL-6780: GRE Import Error Handling: Improved error handling during GRE import to ensure proper messaging when users are restricted from creating folders.

• VAUL-6808: App Stability: Fixed an issue where the app could crash if shared folder users were undefined, ensuring better stability.

KeeperPAM is now available for all customers. Keeper Vault 17.1 and newer is required to access the new privileged access management features.

For more information on KeeperPAM, visit the following:

• Website

• KeeperPAM Documentation

New Features

• • Currently only Supported on Keeper Commander

Improvements

• Browser tab now shows username: "Keeper® Vault - user@company.com"

Features

• VAUL-6175: Added thousands of popular website logos to the Vault user interface.

The implementation of website logos preserves full zero knowledge encryption and privacy. The entire library of logo files are embedded within the vault application.

• KDE-1403: Optional SSO login method through default web browser

If the new "Use Default Browser for SSO" option is enabled from the desktop application menu, the user will be routed to their default web browser on the device in order to login with their configured identity provider.

The primary reason for implementing this feature is to support SSO identity providers who support FIDO2 security keys or other authentication methods that are not technically supported from the Keeper Desktop embedded browser.

• DR-265: Ability to specify time zone and hour of day for scheduled password rotations

• VAUL-5620: Enhancements for Recently Deleted page

• VAUL-5686: Security Audit screen now has a "Last Change" column

• VAUL-6138: New "Advanced" settings menu which contains the following features:

  1. Search overlay controls

  2. Syncing delay to improve overall performance in high volume enterprise tenants

  3. Showing numbering in the record list view

Bug Fixes

• VAUL-6135: Currently only owner and share admin can update permissions, add/remove users, set/update expiration timers. User with can_share right should be also able to manage users up to its own level of privilege.

• VAUL-5659: Multiple Record Selection is not working in Deleted Items

• KDE-1421: Records created while in offline mode are not syncing properly when going online

• KDE-1373: KeeperFill for Apps Window opens in wrong location when tray is not in visible dock

• KDE-1395: Memory leak on Mac App from repeat launching through cmd+tab, clicking the dock item, etc. This leads to unintended event handlers being enabled.

• VAUL-5675: User is not able to delete forever a Lost Record shared via Shared folder from Lost Access

• VAUL-5737: Missing 'Add to My Vault' button for records details panel in Lost Access tab

• VAUL-6009: If you have a role enforcement set to restrict all record types in the vault, the import option during onboarding is now hidden.

• VAUL-6083: Filename not being added to title when drag-and-drop attachment in Chrome/Edge

• VAUL-6204: Import from Thycotic / Delinea Secret Server missing notes field and SecretTemplates section

• VAUL-6213: Record title auto-suggestion not working when there are multiple words

• VAUL-6214: Date formatting error when Arabic language selected

• KDE-1411: On Mac, keyboard layout is cached on first use. When filling a password with KeeperFill for Apps on Mac, a map of key codes to character mappings is generated and cached. This cache is not released when the keyboard layout changed with the app running, resulting in incorrect key codes being sent for some characters.

• KDE-1422: The "Create Record" hot key is turned on when the app is initially not in focus, preventing that hotkey from being used by other apps.

• KDE-1385: KeeperFill for Apps is not able to detect secure fields when a record uses the "native app filler" field type.

• KDE-1426: After importing files, KeeperFill for Apps doesn’t show the records. This leads to assertion failures with BreachWatch data which require record keys to decrypt the data.

Security Updates

• VAUL-6170: Security improvements using CryptoKey storage on Firefox browsers for device keys

• VAUL-6179: Convert ECIES-encrypted Record Keys to Data Key-encrypted Record Keys upon login.

• KDE-1406: New desktop app installs will now store device private keys in the Apple Keychain or Windows Credential Locker instead of Chrome CryptoKey local storage, for improved security for native app installation. Existing keys will not be transferred until a reset takes place.

• KDE-1412: Upgraded Electron platform to v26.2.4. This was actually released to production already in version 16.10.9 on a standalone basis.

Other Improvements

• KDE-1417: When filling into a remote desktop session using mstsc.exe, incorrect characters are used with a different keyboard layout than the host machine.

• VAUL-6219: Improved the automatic team-user approvals upon logging in. This new method handles a large number of pending users.

• VAUL-6200: When viewing a deleted record, file attachments cannot be downloaded until the record is restored.

• DR-348: Hide or gray out "Rotate now" button on modifying rotation settings

• VAUL-5926: Shared Folder and Direct Share screens will only list those Share Admins who are explicitly shared to the object, to reduce confusion.

• VAUL-5738: Allow free trial users to view record history

• VAUL-6128: Show long folder names on-hover

• KDE-1399: Return focus to previous app/window when KeeperFill for Apps is closed

• 508 Compliance: Over 20 tickets related to 508 compliance / ergonomics improvements

• VAUL-5875: Create Duplicate UI changes to support various use cases:

  • If privacy screen is enabled, do not allow duplication

  • If a user duplicates a record that has linked records such as address or payment records, allow duplication of the record, disallow duplication of linked records, and present a notification: “The record you are duplicating contains links to other records. The linked records will not duplicated.”

  • If a user duplicates a record that has attachments, allow duplication of the record, disallow duplication of the attachment, and present a notification: “The record you are duplicating contains attachments. Attachments will not be duplicated. In order to duplicate attachments, download the attachment from the original record and re-upload to the newly created record.”

• KDE-1414: New font type "Outfit" to replace "Overpass". This is Keeper's new font that is being slow-rolled across all platforms and interfaces.

Known Issues

• Migrating from LastPass using Okta SSO saying "Import Error"

In the Okta Admin portal under Applications, locate your "LastPass Okta Login" application. Under the "Sign-in redirect URIs" section, add the following URI: http://localhost/ then click "Save".

Improvements

• VAUL-6523: Added pin code generator to "Pin Code" custom field

• VAUL-6595: Improved 508 compliance for "Record Types" default actions

  • Escape key closes "Record Types"

• VAUL-6596: Enhanced 508 compliance for "More Filters" default actions

  • Escape key closes "More Filters"

• VAUL-6597: Fixed issues with 508 compliance regarding possible actions. Dropdown lists out of focus are automatically closed

Bug Fixes

• VAUL-6550: Implemented a modal warning for trials expiring within 24 hours

• VAUL-6747: Removed offensive words from the word list

• VAUL-6613: Updated strength indicator to prevent it from turning green erroneously

• VAUL-6721: Fixed the default passphrase separator issue

• VAUL-6719: Corrected domain conflict alerts to display the appropriate text

• VAUL-6519: Fixed issue with Chrome displaying a break in the password generator

• VAUL-6728: Prevented users from saving passwords with domain conflicts

• VAUL-6729: Ensured that users with privacy screens cannot view PIN codes

• VAUL-6732: Introduced new alerts for different domain conflicts

• VAUL-6737: Added missing strings for various languages

• VAUL-6741: Improved vault UI responsiveness when saving new passwords

• VAUL-6736: Resolved issues with the PIN-CODE and PIN Generator not working

• VAUL-6740: Added missing translation for 'Your password has been saved'

• VAUL-6754: Implemented in-app popup for expired trial warnings

• VAUL-6753: Fixed issue with the privacy screen feature

• VAUL-6759: Fixed the issue preventing saving passphrases with domain conflicts

• VAUL-6761: Resolved incorrect display of consumer/enterprise settings

• VAUL-6770: Ensured default configuration is correctly applied when new fields are unchecked

• VAUL-6776: Fixed GUI issues in the password complexity feature

• VAUL-6723: Fixed issues with losing ownership of a record in a shared folder

• VAUL-6693: Corrected tooltip hover text display issues in shared folders

• VAUL-6653: Fixed time selection issues in the date picker configuration

• VAUL-6726: Resolved a white screen crash issue

• VAUL-6688: Resolved UI issues with the new shared folder modal

• VAUL-6733: Addressed issues with configuration records not being viewable

• VAUL-6731: Fixed time picker for 24-hour time format in One-Time Share

• VAUL-6734: Fixed file upload issues

• VAUL-6738: Corrected viewing link display issues in One-Time Share

Features

Passphrases

Passphrases can now be generated and stored in the vault. The Password Generator includes advanced character/symbol policy preferences

Time-Limited Access

Launched Time-Limited Access, which allows temporary sharing of records and folders with other Keeper users.

Self -Destructing Records

Launched Self-Destructing Records, which allows sharing of records with other Keeper users for a time period after which the record is deleted for both parties.

Shared Item Recovery

Recently deleted shared records from within shared folders can now be recovered from the "Deleted Items" section of the Web Vault and Desktop app.

In the "Deleted Items" section of the vault, you'll see a new tab called "Shared Folder Contents". This tab contains records that were deleted by a user of the shared folder with "Can manage records" permission. Records which appear in this tab are able to be restored from any user who currently has access to the shared folder. This feature was created to make the restore process accessible from any shared folder participant when a record has been removed by any team member.

For security reasons, if a change was made to the record after it was removed from the shared folder, it cannot be restored and the original owner must re-share it.

Bug Fixes

• VAUL-5271: Fixed an issue that prevented record type changes with some records

• VAUL-5628: Fixed an issue that prevented some date fields from being searchable

• VAUL-5842: Fixed various issues with consistently updating fields on language changes

• VAUL-6163: Fixed an issue that allowed entry of more than the five allowed emergency access contacts

• VAUL-6168: Fixed a display issue when certain record types are disabled

• VAUL-6198: Fixed an issue that prevented error message from being shown when attempting to invite a user with an invalid email address

• VAUL-6242: Fixed an issue that prevented hover text from being displayed on truncated records

• VAUL-6301: Fixed an issue where some countries would not sort properly in records with a Country field

• VAUL-6340: Implemented hashing algorithm for account mapping within the vault

• VAUL-6345: Implemented proper handling of international phone numbers in records

• VAUL-6353: Fixed a UI issue where a password slider artifact would appear over search results

• VAUL-6365, VAUL-6373, VAUL-6392: More descriptive errors are now displayed when attempting to create a record, folder or shared folder using an account that does not have appropriate rights

• VAUL-6370: Fixed an issue syncing teams to the vault on initial sync

• VAUL-6383: Fixed an issue that prevented a user from creating a shared folder under certain Granular Sharing Enforcement policies

• VAUL-6393: Granular Sharing Enforcements now apply even in the vault is in offline mode

• VAUL-6397: Fixed an issue with syncing records after ownership transfer

• VAUL-6427: Fixed an issue importing from Proton Pass on Windows

• VAUL-6439: Fixed an issue that prevented the owner of a shared record from deleting records in some scenarios

Security Updates

New Features

• VAUL-5867: Support for TOTP seeds in CSV import method

• VAUL-5177: Import from Thycotic Secret Server / Delinea

Bug Fixes

• KDE-1364: Crash when double-clicking the Touch ID icon

• KDE-1365: Entering an incorrectly formatted username in SSO Connect on an ASDF Domain causes a crash

Security Updates

• VAUL-5868: Upgrade to React 18 library

Bug Fixes

• VAUL-5211: After logout and login, SSO users will no longer be set on the SSO Domain screen.

• KDE-1371: App crash when registering a security key

Improvements

• Set new default PBKDF2 iterations to 1,000,000 rounds

Bug Fixes

• KDE-1313: LastPass automated import hanging on some accounts

• KDE-1319: Safari import hanging on macOS Ventura

Older release note content is still available, but anything older than the last 10 updates is placed here.

Features

• VAUL-5409: Support for JP and CA regions

Features

• VAUL-5029: Introducing One-Time Share. See the Admin Guide and End-User guide for more details.

• KDE-1214: Support for M1-based Macs. Our download page provides install links for the .dmg file and the Mac App Store. The .dmg file contains both Intel and M1 Mac binary builds.

Improvements

• VAUL-5021: Additional support for 508 compliance in Secrets Manager and other functional areas.

Bug Fixes

• VAUL-5228: Unable to recover account with WebAuthn as the 2FA method

• VAUL-5233, VAUL-4958, VAUL-5232: Several issues with File Upload failures

• VAUL-5164: Support for Dashlane import with Argon2D and PBKDF2 200k iterations

• KDE-1233: Crash on Windows Server 2012 R2 on SSO Login

• KDE-1237: Tab key not being sent to Citrix client use Native App Fill

Features & Improvements

• KDE-1090: Upgraded Electron framework to 17.x

• KDE-1203: Added a new Hot Key for filling TOTP codes (Ctrl/Cmd+Shift+T)

• KDE-1206: Added {SPACE} keystroke for KeeperFill for Apps typer feature

• VAUL-5047: Added Passportal Import tool

• VAUL-4597: Added Record UID to BreachWatch events for Advanced Reporting & Alerts module.

• VAUL-5140: Improved speed for large vaults

• VAUL-5160: Improved 1Password import which includes TOTP codes

• VAUL-5184: Improved MyKi import to support TOTP codes

Bug Fixes

• KDE-1200: Crash when running Keeper Desktop on Fedora 35

• KDE-1207: KeeperFill hotkey filling improvements over VMWare, Datto RMM and other remote desktop tools.

• KDE-1065: KeeperFill for Apps not working over RDP with french keyboard

• KDE-1117: Touch ID with IP restriction and offline access not working

• KDE-1087: "Unable to connect" error when using KeeperFill for Apps

• KDE-1118: KeeperFill for Apps with Touch ID and Webauthn hangs on login

• KDE-1181: Whichever method signed in last (master password or biometric) is only able to be used offline. So if you last signed in with master password, signing in offline with master password works. But if you last signed in with touch id, signing in with touch id offline works.

• KDE-1132: KeeperFill for Apps using "Generate password" has issues when loading the main desktop app.

• KDE-1183: Native App Filler clicking tray changes focus

• KDE-1099: Offline mode not working with IP restriction is activated

• KDE-1186: SSO user logging in with Biometric is logged out to the wrong screen

• KDE-1209, KDE-1210: LastPass import improvements and error handling

• KDE-1213: Crash when setting up the OnlyKey security key hardware device

• KDE-1217: Searching for Typed records within Shared Folder paths fails

• VAUL-5092: Copying UID from Safari 15 user interface fails

• VAUL-5102: Switching to Keeper DNA push method not showing correct screen

• VAUL-5113: Secrets Manager app details GUI not showing correct permissions

• VAUL-5107: Allow viewing and copying of Notes if the masking and privacy settings are activated.

• VAUL-5098: After deleting a security key, toggle of 2FA doesn't visually show the action

• VAUL-5114: Enforcement policy of re-authentication when revealing password was not working properly

• VAUL-5153: Web Vault is saving phone number fields with formatting, which caused other client apps to crash.

• VAUL-5155: Automatically fixes formatting issues from Android record data

• VAUL-5156: Re-sharing a shared Record Type record that contains file attachments fails

• VAUL-5154: UI issues when linking to Emergency Access screens

• VAUL-5144: Multi-select and bulk edit not working properly in List View

• VAUL-4933: Repaired Avast import

• VAUL-5157: Import from legacy records missing TOTP field

• VAUL-5163: QR codes from Okta Verify are showing empty fields

• VAUL-4949: Can't type spaces when searching through the country names

• VAUL-5185: Searching not matching on general record types with custom field values

Bug Fixes

• KDE-1273: Touch ID shows as "enabled" for users after an app reset

• KDS-1277: Custom Record Template showing "Discard Changes?" on save

• VAUL-4849: Showing content security policy error in console on login

• VAUL-5362: EU data center BreachWatch errors for users on a free trial

Improvements

• Added support for Password Manager Pro import

• Added support for generic .xls or .xlsx file import

Bug Fixes

• Multiple Tickets: Several UI bugs, translations and visual fixes

• VAUL-5307: SMS support for Trinidad and Tobago

• VAUL-5260: Payment card phone number saves incorrectly

• VAUL-5344: Removed Duplicate detection button for now due to inconsistencies

• KDE-1255: Touch ID setting turns off when signing in with the Laptop lid open

• KDE-1228: Canceling the Yubikey setup and login flow gives error

• KDE-1254: Filling from KeeperFill for Apps with German keyboard issues

• KDS-1244: Filling from KeeperFill for Apps with French keyboard issues

• KDE-1269: After logout, KeeperFill for Apps not selecting proper region (Govcloud)

• KDE-1274: KeeperFill for Apps with Privacy Screen not working in Microsoft Edge

Improvements

• VAUL-5320: Additional confirmation upon deletion of a Shared Folder

• KDE-1266: Added ability to delete account for Mac Store consumer version

Features & Improvements

• VAUL-5035: Ability to convert "general" to new Record Types

• VAUL-4879: Role enforcement to activate Stay Logged In

• VAUL-4893: Role enforcement to enable Self Destruct

• VAUL-5201: Improved performance of uploads and downloads

Bug Fixes

• VAUL-5187: QR Code upload fails for certain formats

• VAUL-5202: MyKi and 1Password TOTP record imports are not autofilling*

  (*) To resolve existing records, run the verify-records command in Keeper Commander.

• VAUL-5191: TOTP and custom fields not available in CSV export

• VAUL-5195: Field validation on custom field Phone Number not working properly

• KDE-1224: Linux app shows blank screen when using Yubikey

• KDE-1222: Login on desktop app with Touch ID and Yubikey not working properly

• KDE-1218: Default password generator in KeeperFill for Apps not including symbols

• KDE-1223: Desktop App not maintaining disabled logout timer setting

New Features and Improvements

• VAUL-4710: Secrets Manager user interface is now generally available on the Keeper Web Vault and Desktop App. For more information about Keeper Secrets Manager, see:

  https://docs.keeper.io/secrets-manager

• VAUL-4904: Visual improvements and workflow improvements for Record Types template creation.

• VAUL-5062: Added MyKi password manager to Keeper Import screen

Security Updates

• VAUL-5038: Migrated from webpack4 to webpack5

• KDE-1163: Additional changes to ensure that logout clears all memory. User-initiated logout performs full restart of the Keeper Desktop application.

Bug Fixes

• KDE-1164: KeeperFill for Apps will only process hotkeys when a record has been selected. This prevents conflicts between existing hotkeys and KeeperFill.

• KDE-1169: Sync errors after deleting a Shared Folder

• KDE-1168: "Object no longer exists" error when switching between KFFA and Desktop App

• VAUL-5039: Record Type fields saving the translated label

• VAUL-5041: Importing CSV with limited columns can throw an error

• VAUL-5042: Can't view notes when Privacy Screen is ON and Masking is ON

• VAUL-5049: Can't change the record type (causes crash)

Features & Improvements

• KDE-1193: Include TOTP fields in LastPass automated import

• KDE-1178: Include file attachments in LastPass automated import

• VAUL-5133: Add checkbox to make LastPass shared folder imports optional

Bug Fixes

• VAUL-5143: Error message first time you drag-and-drop a file attachment into a record

Improvements

• KDE-1150: Support for CCH Axcess native app autofill

• VAUL-4991: Changed Software License Number to a hidden field

Bug Fixes

• KDE-1157: Improved support for Azure Conditional Access

• KDE-1156: Remove use of legacy windows registry key which generates a report in Cybereason

• VAUL-5036: Restore of Record Type records

• VAUL-5018: Showing "unexpected error" when creating user accounts with a pending transfer acceptance

• VAUL-5000: Prevent record copy when Record Type is restricted by role enforcement

• VAUL-4978: When sharing is disabled, the action silently fails when adding a user to a shared folder.

• VAUL-5014: Edit and Delete actions in the Grid View don't work

• VAUL-4964: "Unknown sharing error" when the user's email has never been verified.

• VAUL-4999: Error when trying to edit a custom Record Type when the type is restricted.

• VAUL-5030: Importing records can generate an app crash

• VAUL-4869: Import column selections don't persist when there are many fields to map

• VAUL-5001: During import of CSV, column changes are lost when scrolling horizontally

• VAUL-4934: Large number of image attachments in a record can generate errors when loading thumbnails.

Bug Fixes

• VAUL-5079: Unable to login with Internet Explorer 11

Improvements

• VAUL-5032: 508 Accessibility updates (checkboxes, menus, contrast and resizing)

Bug Fixes

• VAUL-5024: Record Type records not syncing after activating Record Types

• VAUL-5018: Showing "unexpected error" when creating account with a pending transfer acceptance

• VAUL-4578: Account recovery failure on a new device

• VAUL-5000: Prevent record copy when record type is restricted by role enforcement

• VAUL-4978: When sharing is restricted, user receives no visible error when sharing and it fails silently

• VAUL-4906: Unknown Sharing Error when email is not verified

• VAUL-5023, VAUL-5017: Record type errors with Bank Account and Payment Cards

• VAUL-5030: Browser Extension causes forced logout after importing records

This is a bug fix release that mainly focuses on the new Record Types feature (still in beta). Therefore most customers are not affected by the bug fixes listed below.

Bug Fixes

• KDE-1077: Logout from KeeperFill for Apps generates an error

• KDE-1067: Record Type creation not using the generated password

• VAUL-4811: Australia data center link to Keeper Importer generates 404

• VAUL-4784: Edit button missing

• VAUL-4790: Decryption issue with Linked Record Types

• VAUL-4786: Privacy Screen is hiding notes and custom fields

• VAUL-4789: Uploading large number of files produces "throttle" errors

• VAUL-4791: Decryption errors inside Shared Folders with Record Types

• VAUL-4667: Error message when using Account Recovery flow

• VAUL-4524: BreachWatch status failure with "status 400"

• VAUL-4787: Vault grid view now showing new Record Type icons

• VAUL-4800: Sharing and Emergency Access showing confusing messages

• VAUL-4805: Deleting shared record not showing in Deleted Items

• VAUL-4810: Newly attached files not creating record links, produces error with Record Types

• VAUL-4825: BreachWatch admin reports not getting updated

Improvements

• KDE-1072: Update Electron Framework to 12.0.6

• Support for Safari 15 automated password import

Accessibility (508 Compliance)

• Keeper has been making UI changes across all web-applications and browser extensions to comply with Section 508 of the Rehabilitation Act (29 U.S.C. § 794d). The Keeper Web Vault and Desktop App now supports keyboard navigation and they are compatible with popular screen readers and other assistive technology.

Features and Improvements

• KDE-1079: Packaged an all new Safari browser extension with the latest features as Chrome, Firefox and Edge extension.

• KDE-1080: Added support for Windows Hello role enforcement policy

• KDE-1081: Upgraded the Electron framework to v12.0.9

• VAUL-4692: Add clarification around the minimum security answer length requirements

• VAUL-4588: Initial Support for 508 Compliance across Web Vault and Desktop Application

• VAUL-4694: Unless disabled by role enforcement policies, users will be required to configure Account Recovery instead of indefinitely delaying

• VAUL-4750: Simplified the new customer experience when purchasing Keeper prior to creating free Vault account.

• VAUL-4822: Improved the embedded image viewer

• VAUL-4092: Added Bitwarden to the available import formats

Bug Fixes

• KDE-1092: LastPass automated import broken for certain users due to iterations settings.

• VAUL-4830: 2FA enforcement with SSO user causes extension and vault to be out of sync during login.

• VAUL-4836: Auto-suggestion drop-down fills the entire screen when there are very long URLs stored in the vault.

• VAUL-4838: "Ghost" records in vault when deleting a shared folder containing an owned record

• VAUL-4840: Gracefully handle scenarios where team keys cannot be decrypted

• KDE-1073: UI issues caused when the vault logs out while push notifications are in front.

• KDE-1085: Denying the password importer prompts can lead to a frozen Keeper Desktop app.

Features

• KDE-990: Support for logout timer with more than 1440 minutes

Bug Fixes

• KDE-1021: Errors when logging into Azure

• VAUL-4643: Login hangs when a user converts from Master Password to Cloud SSO

• VAUL-4644: Record "info" screen is not showing the user who made the change

• KDE-839: Update Electron framework dependencies

• KDE-1009: Update Electron framework

• KDE-1005: Touch ID + Yubikey + using a backup 2FA method fails login

• KDE-1007: Signing in on KeeperFill for Apps using SSO and Duo not receiving verification email

• KDE-1013: Clicking to copy a field sometimes didn't copy

• KDE-1011: Better handling of Logout Timer setting

• KDE-990: Logout Timer improved handling and support for more than 1440 minutes

• KDE-1018: Windows Hello activation issue on Microsoft Store version

Bug Fixes

• VAUL-4643: Login hangs when a user converts from Master Password to SSO Cloud login.

• VAUL-4644: Record "info" screen sometimes does not return the user information in Last Modified date.

Bug Fixes

• REL-3160: Import instructions for Avast are missing

Keeper is proud to announce our release of version 16.9.0 of our Web Vault and Desktop App. This new version includes a new design with a user interface refresh along with some new features and bug fixes.

See our blog post for additional details:

New Features

• Keeper Desktop App now supports Import SSO LastPass vaults from Okta SSO and Azure SSO federated accounts

• Advanced Search: Recently viewed records, search filters and more

• Onboarding: New user onboarding has been improved

• UI Refresh: Look and feel of the vault has been improved

• MFA: When signing in with 2FA for the first time, there are now additional options. The Web Vault now offers 12-hour and 24-hour in addition to the previous options (every login, every 30 days, and don’t ask again on this device.)

• Support for Google Authenticator QR code export format

• Security Scores: "Security Data Sync" in the diagnostics menu will refresh your security scores

• Lost Records: Shared records that have been removed from your vault, but are owned by you, can be recovered from the Deleted Items screen. The tab will only show if you have relevant records.

Bug Fixes

• We truncated the view of super long URLs in the record detail screen

Features

• Share Admin Keeper's Share Admin feature is a role-based permission that gives administrators elevated access rights over your organization's shared folders and shared records. Share Admins have full user and record privileges for any shared record that they have access to. See: https://docs.keeper.io/enterprise-guide/share-admin

• MSP to Managed Company Team Sharing Directly share folders to Managed Company teams

• General to Record Type Conversion You can now right-click to change the type of any record, including migration from the legacy "General" record types. Multi-select + right click allows migration of multiple records at once.

• Default Record Permissions Quickly set permissions during the creation of a Shared Folder

• Default Folder Settings moved into the "Settings" tab In addition, you can now apply permission changes recursively and retroactively.

• Shared Folder UI improved visibility Several enhancements to the UI which improve the visibility and management of Shared Folders.

• Team Visibility There is now a "View Team" function in several locations so that you can see who you're sharing to.

• Collapsed View of Records When a folder contains subfolders and records within subfolders, you can now collapse the view, in order to apply changes recursively. Select "Show subfolder records" to collapse the list.

• Retroactively apply permissions When "Show subfolder records" is selected, the Settings tab will display a checkbox called "Apply permissions to all subfolders" which will apply the default folder settings to all existing records within folders and subfolders.

Features

• VAUL-5165: Offline Create/Edit Record capability

• VAUL-5181: New UI for login screens

• VAUL-5031: Hundreds of new website logos added

• VAUL-5208: Additional 508 compliance / accessibility updates

• KDE-1253: Enterprise enforcements for Desktop App distribution defaults. This allows the Admin to define the default SSO Domain and Data Center location. Detailed instructions available at this link: https://docs.keeper.io/enterprise-guide/deploying-keeper-to-end-users/desktop-application#enterprise-configuration

Bug Fixes

• VAUL-5295: CSV Import GUI fixes

• VAUL-5095: Unable to ignore BreachWatch record which has edit rights

• VAUL-5045: BreachWatch can indefinitely alert about a breached record

• VAUL-5257: Second login required to send security audit data to the Admin Console.

• VAUL-5251: Unable to export records with the Login record type restricted by admin.

• VAUL-5248: Create Duplicate feature appearing for records that have Privacy Screen enabled.

• VAUL-5270: Processing pending team members can sometimes cause the vault to display no data.

• KDE-1220: KeeperFill for Apps compatibility issues with Apache Guacamole / Keeper Connection Manager running on a Mac host.

• Several small UI bug fixes

Improvements

• KDE-1246: Upgrade Electron framework

• KDE-1261: 10x speed improvement on file uploads for large file attachments.

New Features and Improvements

• Introducing Record Types for Web Vault & Desktop App (Limited Release) This release introduces a powerful new feature called "Record Types", which gives users the ability to create records of various template types, grouped into categories, each containing a unique collection of field types and functionality fields within the record. Record templates can be created by Admins that are custom to the needs of the business. This feature is only available for Enterprise customers, activated on an individual basis at this time, because the Browser Extension, iOS and Android apps are still under development. If you are interested in being an early adopter of Record Types, please contact your customer success team member at Keeper and we'll activate the feature.

• Generate a Password in KeeperFill for Apps Keeper's password generator is now within easy reach in the KeeperFill for Apps toolbar landing screen. Users can generate and copy the secure password or use it to create a new record.

• Comprehensive Keyboard Command Functionality for KeeperFill for Apps

• Support for NTLM Authentication for Microsoft Windows Customers

Bug Fixes

• KDE-959: The "Session Timed Out" dialogue appears when logging into a different account after a session timeout occurs

• KDE-1034: When a user attempts to switch from US to EU region at login, an Uncaught TypeError is returned

• KDE-977: Selecting "Create an Account" in KFFA opens the login page on Keeper Desktop

• VAUL-4721: The "Admin Console" button in the Vault fails to redirect Enterprise users to the console

• VAUL-4516: Users are prompted for their 2FA code twice when logging into EU SSO Cloud account

New Features & Improvements

• Support for Azure Conditional Access on the Keeper Desktop application for users who login with Single Sign On. Previously, Azure Conditional Access policies could not be added to Keeper.

• Increased the number of special characters used in the password generator to this set:

  !@#$%()+;<>=?[]{}^.,

• Support for cookie persistence on the Keeper Desktop application for users who login with Single Sign On. This reduces friction and steps for users who sign in often.

• Support for additional SAML SSO identity providers and elimination of any browser type recognition issues.

• 🇺🇸 Support for the Amazon AWS GovCloud environment. Keeper is currently FedRAMP in-process and public sector entities can now establish their Keeper tenant in the GovCloud environment. Contact the public sector sales team at govsales@keepersecurity.com for more information.

• Support for the upcoming Compliance Reports feature. The Vault will encrypt appropriate compliance data from records and send it to the Admin Console. There is no change to the end user experience in the Vault.

• Added a Region Selector in login screens and KeeperFill for Apps

• Users on the Web Vault are encouraged to download the Desktop App for performing automated transfer from LastPass.

• Import from Bitwarden now supports TOTP seeds for Two-Factor Authentication.

• Import from Bitwarden now supports multiple URL fields.

Bug Fixes

• VAUL-4848: 1Password import not importing secure notes field

• VAUL-4851: Safari Sierra and High Sierra not importing passwords

• VAUL-4852: Import token invalid in AU region

• VAUL-4543: User cannot save an address that does not have a title

• VAUL-4586: Access Delay for Emergency Access displays incorrectly

• VAUL-4640: Long security answer blocks user from using Account Recovery

• VAUL-4797: Clicking the dice button on an existing record should not reduce the complexity.

• VAUL-4911: Kaspersky import fails when the data contains certain reserved words

• VAUL-4946: Card type not being displayed when typing in the credit card number

• VAUL-4960: File drag-and-drop into a New record is not being saved on first try

• VAUL-4941: Hebrew language is showing the TOTP code in reverse order

New Features & Improvements

• Expansion to AU Data Center - Keeper now supports an AU data center. Users have the option to select "AU" from the region selector at login for Keeper Desktop App.

Bug Fixes

• KDE-1043: Horizontal scrollbar appears in record details

New Features

Bug Fixes

• Operations that required re-authentication (e.g. export, reset master password, etc) were not accepting the password, if the session was resumed from a page reload or "Stay Logged In". This has been resolved.

Improvements

• VAUL-4589: Support for Avast password import

Bug Fixes

• KDE-991: KFFA allows for special characters during hotkeys setup

• KDE-993: Defined hotkeys are still active when the Vault window is closed

• KDE-994: Keeper Desktop app fails to install on Windows 10 20H2

• VAUL-4557: Error message intermittently appears upon logout

Bug Fixes

• VAUL-4549: Unable to reset Master Password with Browser Extension v15.0.2 installed

• VAUL-4548: Master Password reset hangs when session is resumes via "Stay Logged In" feature

• VAUL-4556: Shared folder/record invitation is not appearing on login

• KDE-975: Javascript error appears when opening Desktop Electron from Safari Extension

Bug Fixes

• VAUL-4472: "Salt/Iterations" error message when Master Password user tries to login with the SSO Alternate Master Password login screen.

• VAUL-4491: Unable to login on Chromium Edge from Extension in Microsoft Store version.

• VAUL-4494: Occasional failure to process Admin Approval for device approval step.

• VAUL-4265: Pressing "Enter" key while entering text in Japanese characters had unexpected results.

• KDE-941: Unexpected Logout occurring even if "Stay Logged In" enabled.

Improvements

• VAUL-4547: Support for Kaspersky password import

• VAUL-4552: Admins now receive a warning before removing themselves from a shared folder

• VAUL-4566: Improved performance handling of vaults with large data sets

• VAUL-4551: Enterprise users to receive notification with explanation for Master Password change and complexity requirements upon login

Bug Fixes

• KDE-945: User receives error message after closing Desktop App and relaunching

• KDE-962: "About Keeper" options menu fails to appear after first launch of Desktop App on Windows

• KDE-972: KeeperFill for Apps fails to respond to hotkeys when switching between apps

• KDE-973: Recipient of a shared record is required to login again after the shared record has been edited

• KDE-903: Hotkey "CMD+TAB" focuses on KeeperFill for Apps when hidden instead of Desktop App (Mac)

• VAUL-4560: Deleting a record shortcut also deletes the original record

• VAUL-4468: Importing CSV records with "can edit" permission does not set permission

• VAUL-4562: Entering an email address with a trailing space at login generates an error message

• VAUL-4574: Sharing a folder causes login errors for the sharing user

Bug Fixes

• Fixed: The Web Vault logs out ahead of the browser extension and generates error messages

• Fixed: Shared folder permissions changes do not automatically appear for users in detail view as expected.

Enhancements & Benefits

• VAUL-4459: SSO Cloud users are able to auto-login and logout to the vault and browser extension simultaneously.

• VAUL-4400: Implementation of file attachment support for KDBX file format

• KDE-929: At login, the region automatically defaults to the region the user most recently has used

Bug Fixes

• VAUL-4471: The vault stores a cache for vault_login, overwriting new user Enterprise email invitations

• VAUL-4463: Excessive update_security_data requests are dispatched

• VAUL-4427: User unable to connect via Cloud SSO using Edge 44 and Firefox browsers

• VAUL-4311: Fix to allow the import of empty custom field values

• KDE-926: DUO push fails in EU accounts

• KDE-923: Windows Hello login fails in EU accounts

• KDE-919: "Clipboard Expiration" option missing from Settings menu

Features & Enhancements

• Login V3 General Availability (GA) More information available here: https://docs.keeper.io/enterprise-guide/login-api-v3

• Support provided for Touch ID and Windows Hello Login at the expired session screen

Bug Fixes

• Fixed: Accounts containing imported passwords do not calculate audit scores correctly.

• Fixed: Various login screen display issues causing various login/logout side effects (Safari).

• Fixed: When a user attempts to close the quick start module upon first login to the Web Vault, an error is triggered and window closes.

• Fixed: Logging out while in Offline Mode, generates an "Internal Error" message.

• Fixed: Canceling a Windows Hello Login, generates an "Error" message.

• Fixed: KeeperFill for Apps crashes when user attempts to search their records.

• Fixed: User unable to back out of the login screen once "Touch ID " is selected (Mac OS).

Bug Fixes

• Fixed: New Enterprise users (non-SSO) are prompted for device approval prior to account creation.

• Fixed: User login to web vault from browser extension fails on IE11 browsers.

Benefits & Enhancements

• Support for Chrome v80 Password Import - Support established for the import of passwords from Chrome v80 and newer on Windows devices.

Bug Fixes

• Fixed: A blank page appears when a user navigates first to the Sharing feature of a record then to Security Audit.

• Fixed: A user receives "device_id" error upon editing an record.

• Fixed: Issue preventing a user from saving Personal Info after an edit has been made.

• Fixed: After the 2FA duration enforcement change has been made, system is unresponsive to DUO Push verification.

• Fixed: Creating a new account following a login to an SSO account, triggers an error notification.

Bug Fixes

• Fixed: SSO Connect login is unsuccessful using Firefox's Private Browsing mode.

• Fixed: Issue causing the SSO Connect link to hang on Microsoft Edge (non-Chromium) and Internet Explorer browsers.

Benefits & Enhancements

• Password Importer Update - The Keeper Import Tool has been updated to version 14.0.6, supporting Brave, Chromium and Edge browsers along with several bug fixes.

Bug Fixes

• Fixed: KeeperFill for Apps crashes when a viewed record is deleted or transferred.

• Fixed: Record edits made in KeeperFill for Apps are not displayed until after the user logouts/logins.

• Fixed: 401 error appears when a user redirects between US and EU accounts.

• Fixed: Users receive "exceeded_depth" error message in an attempt to delete a root folder with a large quantity of subfolders.

• Fixed: Issues with DUO push for back-up Two-Factor Authentication method and "Forgot Password" flow.

Features & Enhancements

• Privacy Screen - Admins now have the ability to control the viewing (unmasking) of passwords based on a specified domain. Additionally, it prevents the user from changing the website URL after the record has been saved. This policy is enforceable by the Admin for individual domains within each of their Generated Password Complexity settings by enabling "Apply Privacy Screen".

• Master Password Re-entry Enforcement - This role enforcement allows Admins to require their users to re-enter their Master Password in order to unmask or copy a password.

• Sharing & Uploading Enforcement Policy - This role enforcement policy allows Admins to prevent their users from importing records from Web App and Desktop App.

Bug Fixes

• Fixed: "Can Edit" and "Can Manage" text is not translated when a user attempts to import from a JSON file. Instructions for the JSON import feature have been updated and can be referenced here.

• Fixed: New user accounts prematurely display step 3 of the "Quick Start" walkthrough as completed.

• Fixed: Various issues related to the privacy screen feature within the Admin Console.

• Fixed: KeeperFill for Apps crashes when unlocking in offline mode.

• Fixed: The Keeper icon is missing from the dock on Linux operating systems.

Benefits & Enhancements

KeeperFill for Apps Redesign - This release entails a comprehensive design and technical update of KeeperFill for Apps, dramatically enhancing the user experience with the Keeper Desktop App. The Desktop App window can now be closed but remain running and accessed through the system tray via the familiar Keeper icon.

Many of the existing features of Keeper's Desktop App can now be applied through KeeperFill for Apps, such as: filling credentials and launching websites, viewing all records and favorites, adjusting settings, and accessing Keeper's User Guides. Additionally, within the Settings menu, the following KeeperFill hotkey actions can be customized by the user, further streamlining their experience with Keeper for Desktop:

• Launch KeeperFill

• Fill Username

• Fill Password

• Open Desktop App

• Logout

Bug Fixes

• Fixed: Users are not able to save a new billing address when it is created within the New Payment Card window.

• Fixed: The shadow of KeeperFill for Apps remains behind after the window has been closed.

• Fixed: In certain scenarios, a password import from newer versions of Firefox cause the Keeper Desktop App to crash.

Bug Fixes

• Fixed: A blue error screen appears when logging into the desktop app with U2F (universal 2nd factor)

  on MacOS (High Sierra).

• Fixed: Encrypted files are not uploading properly causing the user to receive an error message.

• Fixed: The "Empty Trash" function within Recently Deleted records is not working properly.