Two-Factor Authentication

Keeper provides several 2FA options that can be enforced at the role level.


Two-Factor Authentication (2FA) can be enforced through Keeper's Role-based Enforcement Policies and can also be configured by the end-user directly in their vault. Keeper supports popular methods of 2FA including:

  • SMS/Text Message

  • TOTP generator apps such as Google and Microsoft Authenticator

  • Duo Security

  • RSA SecurID

  • Keeper DNA (using Apple Watch and Android Wear devices)

  • FIDO2 WebAuthn physical keys such as Yubikey

End-User Setup

Inside their vault, each user is able to individually configure their Two-Factor Authentication settings from their vault Settings screen. Upon creating a new Keeper account, the end-user is also prompted to enable 2FA.

Detailed 2FA setup steps for the various platforms can be found in the End-User Guides.

2FA Enforcement Policies

Two-Factor Authentication can be enforced by the Keeper Administrator, and this is controlled at the role level.

The Keeper Administrator can enforce the method of 2FA, how long the tokens stay valid and other related settings. Policies can be enforced at the role-level, so different policies can apply to different sets of users.

For more details instructions about enforcement policies, click here.

Configuration of Duo and RSA SecurID

Certain 2FA methods such as Duo Security and RSA SecurID require the Keeper administrator to login to the Admin Console and perform up-front configuration. To access the Two-Factor Authentication configuration, navigate to the 2FA tab in the Keeper Admin Console for the selected Node. 2FA methods and token retention behavior can also be enforced from the Role Enforcement policy screen. Role enforcement policies can enforce the use of 2FA channels on the specific node. Therefore, different nodes can be provisioned with different 2FA methods.

DUO Security Setup

Keeper has built a tight integration into the DUO Security API which is fully integrated into all of our device platforms. Both push and SMS methods are supported. To activate DUO Security, use take the following steps:

  1. Login to and create an account (or login if you already have an account).

  2. Select Applications from the left menu.

  3. Select Protect An Application to display a list of applications, then select Keeper Security from the list.

  4. Copy the provided credentials from Duo's site (including the Secret Key which must be selected to view)

  5. Return to Keeper's Admin Console and select the 2FA tab. Select the gear icon under DUO and paste the copied credentials from DUO's site. Toggle the Enable switch "on" and click Save to finish.

Important Note about Username Normalization

If you receive an error when attempting to login with Duo, you may need to check your "Username normalization" setting. The Keeper email address is used when the Keeper backend communicates with Duo's API. If your Duo environment is configured with a username instead of an email address, make sure to check the "Username normalization" setting in the Duo Console configuration page and select "Simple".

DUO has a helpful knowledge base article discussing username normalization here:

Once activated, each individual user can enroll in DUO by logging into their Keeper app and navigating to the Settings > Security screen and enabling DUO. The user is then walked through a process to activate their device.

After activation, the user will be prompted with Duo Security on all devices.

Other Supported 2FA Methods

Set-up Two-Factor Authentication method of your choice directly from your vault. Click your account email address in the upper right corner, click Security > Settings then toggle Two-Factor Authentication on. You will then be prompted to select one the 2FA methods discussed below.

Text Message

Keeper supports Text Message (SMS) delivery of two-factor authentication codes. From the list of methods, toggle Text Message "on" then enter your phone number.

TOTP Method

From the list of methods, toggle Google and Microsoft Authenticator (TOTP) "on". Download the Google Authenticator, Microsoft Authenticator or any TOTP-compatible application on your mobile device and add a new entry by scanning the QR Code Keeper provides.

Smartwatch (KeeperDNA)

Keeper DNA uses the connected devices you own to create your unique profile which serves as a second factor to verify your identity and log you in. Keeper supports Apple Watch and Android Wear devices. To enable the Smartwatch (KeeperDNA) method, from your mobile device, tap Settings > Two-Factor Authentication and chose Smartwatch (KeeperDNA) as your method.

RSA SecurID Setup

Keeper's certified backend integration with RSA SecurID can be configured by Keeper's engineering team for your account. To enable RSA SecurID, additional customer integration points are necessary. Please contact your Keeper account manager to initiate this integration at

Security Keys (FIDO2 WebAuthn)

Users can protect their Keeper vault with FIDO WebAuthn compatible hardware security keys, including YubiKey and Google Titan keys, which provide secure and easy two-factor authentication (2FA).

Security Keys are configured in the Keeper Web Vault or Keeper Desktop App. To activate 2FA using Security Keys, follow the steps below:

  1. Click your account email address in the upper right corner of your vault, then click Settings > Security

  2. Enable 2FA and click Edit Two Factor to activate a standard 2FA method. This will be used as a backup method when your Security Key is not supported or not available. Google Auth or TOTP should be used a backup method rather than SMS, otherwise you will receive an SMS code every time you login with the Security Key. Keeper recommends using a TOTP (Google Authenticator or equivalent) generator for two-factor authentication to eliminate the possibility of SIM takeover attacks.

  3. From the previous Security menu, click Setup next to Security Keys.

  4. Follow the on-screen prompts, provide a name for your Security Key and select Register.

  5. If your Security Key has a button or gold disc (e.g. Yubico), press the button to register.

Login Experience with Security Keys

Keeper's authentication system as described in the Keeper Encryption Model requires device verification and 2FA verification prior to Master Password authentication.

When using Security Keys and logging into the Browser Extension, the flow is slightly different from a user perspective but the security level is the same. Users on the Browser Extension login flow are prompted for the Master Password, but this information is not processed until the device verification and 2FA step has been performed. This workflow is due to the fact that Browser Extensions do not currently support native Security Keys.

Backup 2FA Methods

Currently, Keeper requires that users have a backup 2FA method using either TOTP, SMS, Duo, RSA or Keeper DNA. The Backup 2FA method is utilized on devices that do not support hardware security keys, or if you do not have access to your key.

For customers who do not wish to have a backup 2FA method, we recommend using the TOTP method and discarding the seed after setup. Please note that authentication with some devices will be impaired without a backup 2FA method. Also, note that if you lose all your registered Security Keys, you will need to contact your Keeper Administrator or Keeper Support teams to assist in changing 2FA methods.

Admin 2FA Control

Admins have the ability to disable 2FA for any of their users.

Last updated