Records that have a stored Time-based One-time Password (TOTP) for two-factor authentication purposes (2FA) can be filled with KeeperFill.

Two-Factor Codes can also be filled from the right-click context menu.

Here's a video demo of setting up TOTP codes with Twitter:

Overview

By default, users are logged out of Keeper if their browser closes, or if their computer restarts. Keeper's "Stay Logged In" feature allows you to instead remain logged into for a configurable duration. Continuing reading to learn how to enable Stay Logged In in the Keeper Web Vault, Desktop App and the KeeperFill Browser Extension.

Web Vault & Desktop App

Sign in to the Keeper Web Vault or Desktop App and click the Account Dropdown Menu (your account email) > Settings > Security and turn "Stay Logged In" on.

Keeper will then recommend that you also enable the "Auto-Logout" setting, to protect your account if you walk away from your device. Also known as the "Inactivity Logout Timer", this automatically logs you out of Keeper after a period of inactivity. You can set this timer to the duration you prefer and it will continue to count down if you close your browser.

If you've downloaded the KeeperFill Browser Extension, you can manage the Auto-Logout setting from the extension's security settings menu (more on this in the section below).

Browser Extension

If you've downloaded the KeeperFill Browser Extension you can enable both the Stay Logged In and Logout Timer features from the extension's security menu.

Click Settings > Security and enable (or disable) "Stay Logged In Between Sessions" and set a "Inactivity Logout Timer".

Security

Keeper's Stay Logged In feature uses Login API V3. The user's Master Password is NOT stored on the device or computer when using the Stay Logged In feature. Keeper utilizes advanced encryption, session management tokens and device authorization capabilities to protect your vault.

Create a Free Family Plan from a Business or Enterprise Account

All Keeper Enterprise users can create a free, Keeper Family Plan for up to 5 family members with unlimited devices. To create your personal vault, follow the steps below:

(1) Log into the Keeper Web Vault or Desktop App.

(2) Click on the Account Dropdown Menu (your email address).

(3) Select Account.

(4) Enter your personal email within the "Keeper Family License for Personal Use" section and click Send Email.

(5) Logout from your business vault on your browser by clicking on the Account Dropdown Menu > Logout.

Create Family Account

(1) Open the Keeper invitation sent to your personal email and click Verify Email Address.

(2) You will then be redirected to Sign Up by creating a master password for your personal account.

Important Note About Data Center Location

If you follow the link sent on your desktop computer, you'll be properly routed to the same geographic data center that is associated with your Keeper Business Vault. Therefore we recommend using your Desktop computer to create your personal Keeper Vault.

If you decide to use your mobile device for creating your personal vault, see the instructions below.

Creating Account on Mobile

If you decide to create your personal account on an iOS or Android device, please ensure you are in the correct data center location.

If you set up your personal Keeper account in the wrong region, you'll need to contact Keeper support to delete and re-create your account.

Confirming License Activation

After your personal account has been created, it will appear in your business vault Account Menu.

Important Notes Regarding Your Linked Personal Account

• Your linked personal account is licensed as a Keeper Family Plan account with 10GB of secure file storage and BreachWatch dark web monitoring.

• The company managing your Business vault does not have any access rights or ability to decrypt information stored in your personal vault.

• Your linked personal account will remain free on unlimited devices for as long as the business account is active.

• If you leave the business, or if the business does not renew their subscription with Keeper, your Family license converts into a Keeper Free subscription. You may continue to use your personal license on one device, or purchase a Family or Unlimited subscription for all of the premium features.

• Your Business Admin may remove the ability to share records from the business vault to the linked personal vault.

Switch Between Accounts

You can easily switch between your business/enterprise and personal accounts on Keeper for Web Vault, iOS and Android.

From your Web Vault, click the Account Dropdown Menu (your email address) > Account > Switch Account.

You will then be redirected to sign into that account using your master password.

Microsoft 2FA Configuration

Keeper can protect Azure AD / Office 365 logins with our TOTP (time-based one-time password) feature. By default, Microsoft provides a different type of code which supports their push method. Below are the step by step instructions to setting up Office 365 TOTP code support properly.

(1) From your Microsoft Azure / Office 365 Profile Screen, visit your security settings screen. The Microsoft site seems to change often, so we won't add a hyperlink here. Click on "Add Method" to set up two factor authentication on your Microsoft account.

(2) Select "I want to use a different authenticator app" as your preferred option

The QR code will be generated and displayed:

(3) On Keeper from your record, click on "Add Two-Factor Code". Or if you're using the mobile app, you can tap on "Add Two-Factor Code" to scan it with the camera.

(4) Enter the verification code as displayed in your Keeper app

(5) Click Next and then Save the record in the Keeper vault.

(6) To ensure that Autofill works with all the various Microsoft sites you may be using, we recommend adding several custom fields to your Keeper record similar to the screen below.

Logging in with Two Factor Code

When logging into Microsoft Online, use Keeper's right-click menu as a simple way to fill the TOTP code.

The proceeding pages in this section are dedicated to various FAQs, site-specific guides and other tips & tricks. Have a suggestion? Email our team at .

Keyboard Shortcuts

If you prefer to use keyboard shortcuts instead of mouse clicks to make the process of auto filling your passwords even more seamless, follow the steps below:

1. Navigate to the site you would like to log in to.

2. Type command+shift+k (for Mac OS) or alt+k (for Windows).

3. In the field provided, begin typing your search terms.

4. Use the up and down arrows on your keyboard to find and highlight the record you are searching for.

5. Use the enter key to quickly fill and log in to the site.

Overview

At the foundation, Keeper is an encryption platform with policies and controls in place to protect customer data. In this security model, the customer is also responsible for protecting access to their vault by following recommended security practices. This document outlines key recommendations that will help you secure the data stored within your vault.

Create a Strong Master Password

For customers who login to Keeper with a Master Password, the key to decrypt and encrypt the Data Key is derived from the Master Password using the password-based key derivation function (PBKDF2), with 1,000,000 iterations by default. All customers who login to the vault are automatically migrated to 1,000,000 iterations.

After the user types their Master Password, the key is derived locally and then unwraps the user's 256-bit AES Data Key. After the Data Key is decrypted, it is used to unwrap the individual 256-bit AES record keys and folder keys. The Record Key then decrypts each of the stored record contents locally.

Keeper implements several mitigations against unauthorized access, device verification, throttling and other protections in the Amazon AWS environment. Enforcing a strong Master Password complexity significantly reduces any risk of offline brute force attack on a user's encrypted vault.

The National Institute of Standards and Technology (NIST) provides password guidelines in: Special Publication 800-63B. The guidelines promote a balance between usability and security; Or in other words, passwords should be easy to remember but hard to guess. The NIST instruction recommends an eight character minimum but a higher value will ultimately result in a harder to guess/crack password. Keeper enforces a minimum of 12 character master passwords.

Enable 2FA on Your Keeper Account

2FA can be added to any consumer or business account. Business customers can enforce the use of 2FA with various levels of control and security options. The 2FA step comes before the Master Password entry. Performing the device verification and 2FA step prior to the Master Password entry phase offers mitigation of several attack vectors including brute force attack, password testing and account enumeration.

To activate Two-Factor Authentication, visit the Settings screen of the Keeper Web App, Desktop App or mobile application.

Keeper also supports FIDO2-compatible WebAuthn hardware-based security key devices such as YubiKey and Google Titan keys as a second factor. Security keys provide a convenient and secure way to perform two-factor authentication.

Enable 2FA on Your Email Account

Access to your email account is a key component in the overall security of your personal information. Ensure that your email account uses a strong auto-generated password created by Keeper. And ensure that you are protecting your email account with multi-factor authentication. Follow the steps provided by your email provider to lock down your account with the most restrictive methods possible.

We recommend that customers protect email accounts using a hardware-based Yubikey or Google Titan key when possible. If this is not available from your email provider, or if you don't own a Yubikey device, the next best thing is using a TOTP code generator.

Keeper supports the ability to store TOTP codes for logging into your email account or other service. To learn more about protecting TOTP codes in your Keeper Vault, click here.

While using SMS as a two-factor authentication setting is better than having nothing at all, we don't recommend relying on SMS due to well documented SIM swapping attacks.

Be Careful of Browser Extensions

As a general security practice, we recommend that our customers be very cautious with installation of 3rd party browser plugins / browser extensions, such as ad blockers, coupon tools and other "helpful" utilities. Many browser extensions request elevated permissions which have the ability to access any information within any website or browser-based application that you visit. Make sure you fully trust the company who developed the browser extension, and look for their security certifications before you install it.

If you have any other security related questions, feel free to email our team at security@keepersecurity.com.

Resetting Keeper Desktop App

If you encounter an issue with your Keeper Desktop application and you need to reset the content and settings, please follow these steps:

Mac & Windows

Use the "Reset Keeper" menu bar item

Mac Store Version

Additional information may need to be deleted manually if you installed Keeper from the Mac App Store. Open the "Terminal" application from your Applications > Utilities menu then run the below command:

rm -rf ~/Library/Application\ Support/Keeper\ Password\ Manager/

macOS Login with Touch ID

Keeper is compatible with Touch ID on macOS, a biometrics-based technology that allows users to authenticate and log into their device using a fingerprint. If Touch ID is configured on a user's device and enabled in Keeper, this eliminates the requirement for users to use SSO or enter their Master Password at the Keeper login screen, further expediting the login process.

To enable Touch ID, click Account Dropdown Menu > Settings > Security and toggle "Touch ID" on.

Touch ID Setup

If Touch ID is not yet configured on your Mac, you will need to first enable the feature from your device settings. Once you have configured Touch ID , close out of the Settings window and return to your vault to proceed with the steps above.

Logging In with Touch ID

Next time you log in to Keeper, tap on the Touch ID icon from the login screen. Once authenticated, your vault will be decrypted and you will be automatically logged into Keeper.

By clicking Cancel you will be returned to the login screen to log in with your master password or SSO instead.

One Record with Multiple Domains

Some sites have more than one domain (website address) that require the same exact login/password. If this is the case for any of your records, rather than creating an entirely separate record, Keeper allows you to store multiple website domains within one record.

So no matter what domain you are logging in from, KeeperFill will recognize that domain as an alias and allow you to log in with the same stored credentials.

To store multiple website domains within a single record:

1. While viewing the record, click Edit.

2. Click the + Custom Field button.

3. Select URL from the Custom Field types

4. In Website Address, enter the site's alternate domain name.

5. To finish, click Save.

6. You can continue to repeat this process for additional domain names by clicking the + Custom Field button again.

KeeperFill provides unique features to help you change/rotate passwords on any website.

1. Login to the site using the KeeperFill browser extension

2. Visit the site's "Change Password" Page

3. Follow Keeper's on-screen instructions

See the below example video using Twitter.

Keeper supports the ability to login with Windows Hello or Touch ID on a vault that is tied to an SSO provider such as Microsoft Azure. To set this up, please follow the instructions below.

(1) Login to your vault using your SSO as usual, and click the Account Dropdown Menu (your email) > Settings > Security.

(2) Enable Windows Hello (or Touch ID if you're on a Mac). Note that if you previously tried using this setting, you should turn it OFF and ON in order to reset the master password storage in your device.

(3) The next time you login to the Keeper Desktop App, simply click the "Windows Hello" or "Touch ID" button.

(4) You will now be able to login seamlessly to your vault using Windows Hello or Touch ID, without having to constantly login using your SSO provider.

If you are new to logging into Keeper using DUO for Two-Factor Authentication, the videos below will demonstrate the process for Web Vault, iOS, and Android users. To learn more about DUO's Two-Factor Authentication method for Enterprise, click .

Web Vault

iOS

Android

KeeperFill Right-Click Context Menu

If a website form field does not display the Keeper lock icon, users can right-click on the field to produce a context menu with KeeperFill features. The context menu offers the ability to fill logins, payment cards, addresses and create new passwords.

The KeeperFill right-click context menu provides the following features:

• Filling record login fields

• Filling payment card fields

• Filling billing and address fields

• Filling TOTP Codes

• Creating a new record

• Opening the extension window

• Launching the Web Vault

• Logging out of your account

Windows Hello Login

Keeper is compatible with Windows Hello, a biometrics-based technology that allows users to authenticate and log into their Windows device using biometric facial recognition, fingerprint reader, or pin (available on Windows 10). If Windows Hello is configured on a user's device and enabled in Keeper, this eliminates the requirement for users to enter their master password at the Keeper login screen, further expediting the login process.

Enable Windows Hello:

1. Open the Account Dropdown Menu.

2. Click Settings > Security.

3. Toggle "Windows Hello Login" on.

4. Once you have read the warning notification, click Enable to accept.

Windows Hello Setup

If Windows Hello is not yet configured on your device, you will receive a prompt to open your Windows Settings to configure it. Once you have configured Windows Hello, close out of the Settings window and return to your Vault to proceed with steps 3 & 4 above (Enabling Windows Hello).

Logging in with Windows Hello

Next time you log in to Keeper, Windows Hello will first attempt to authenticate your identity. Once authenticated, your vault will be decrypted and you will be automatically logged into Keeper.

By clicking Cancel you will be returned to the login screen to log in with your Master Password instead.