Login API

Version 3 of Keeper’s new login flow: Advanced Authentication and Vault Security
Vault Login Screen

Availability (1) Web Vault and Admin Console: Now Live (2) Desktop App, Extensions, iOS, Android will go live on September 30, 2020

Keeper's engineering team is continuously improving the security and capabilities of the Vault Authentication system in step with the evolving security landscape and the requirements of our customers.

We are proud to announce a major security advancement for our Zero-Knowledge authentication system, called Login API version 3. The Login API provides additional security and usability benefits for current features, and it opens up opportunities for new and exciting features in the future.

Usability, Security and Feature Updates

The new features and usability improvements included in the latest release of Login API are the following:

New Login Screen

The login screen is simplified to start with Email Address or you can select Enterprise SSO Login.

New Login Screen

For SSO users: If the email domain of the user is recognized as an SSO-enabled account, your users will be automatically routed to the identity provider instead of having to type in the Enterprise Domain string.

Note: "Enterprise SSO Login" is still available for existing SSO users who login through the "Enterprise Domain" name.

"Enterprise Domain Login" requires typing the "Enterprise Domain" defined by the Keeper Administrator.

"Master Password Login" is the login path for users who created their SSO Master Password in the vault. This feature (SSO Master Password) must be activated by the Keeper Administrator in role policies.

For Master Password users: If the device is recognized and 2FA is activated, users will receive the prompt before typing the Master Password. Attempts to login with a Master Password will be denied until the user passes the 2FA step.

NOTE: Only users with recognized devices will be offered to perform the 2FA step. An unauthorized device will not be prompted for 2FA. Keeper does not disclose the existence of a user account unless the device is approved and recognized.

Note: The user experience is slightly different with this new method. Users will be prompted for their 2FA method prior to the Master Password step.

Device Approval

A device can be "approved" to perform a login attempt based on one of the following criteria:

  • User has previously approved the device for login

  • User's external IP address has been used for a successful login

  • User is part of an Enterprise on a previously approved device by a member of their team

Attempts to perform login are denied until a device approval takes place.

After device verification is performed, a Keeper user with 2FA activated must pass the 2FA verification step prior to making a Master Password login attempt. After device approval and 2FA, the user proceeds to Master Password login. By placing device approval and 2FA verification prior to Master Password entry, users are protected against unauthorized login attempts or password testing attempts. Further, password attempts are limited to 10 attempts after which authentication attempts are throttled.

Additional Device Verification Methods A user cannot attempt to login to an account without a device verification step. Now, device verification can be performed using several new methods including:

  • Email verification code

  • 2FA code entry from a TOTP or text message

  • Sending a Keeper Push™ message to recognized devices

Controlling Automatic IP Device Approval

IP Address device approval is user-controlled from the Vault under Settings > Security > Auto-Approve Devices from Recognized IP Address(es).

Introduction of Keeper Push™

Introducing a new Device Approval system via a proprietary notification-based system called Keeper Push. By default, users are asked to approve an unrecognized device using an email. If email is not available, there are several new options.

Device Approval Methods
Email, Keeper Push and 2FA Approval Methods
Keeper Push

Keeper Push is currently only available on the Web Vault. Additional platform support on iOS and Android devices will be rolled out at the end of September, 2020.

  • For users who login with a Master Password, Keeper Push can be used for approving new devices instead of relying on email.

  • For Enterprise users who login with the new SSO Connect Cloud™ capability, Keeper Push allows secure device authorization and private key transfer between the user's devices. Keeper Push provides zero knowledge encryption on the device while giving users the seamless integration with existing identity providers.

  • Keeper Push also provides Enterprise SSO users to request new device approval from a Keeper Administrator, if the user has lost access to all of their other devices. The Keeper Administrator can then approve the device from the Admin Console.

Keeper Push approvals can only be accepted on a device where a user is actively logged into a Keeper account.

SSO Domain Routing

Reducing the need for Enterprise users to remember their "SSO Domain"

Users can now simply type in their email address and Keeper will route them to their appropriate identity provider. This was a highly requested feature by Enterprise customers. For security reasons, Keeper routes to the IdP based on the domain name, not the individual user email.

Automatic routing of users to the identity provider will occur by default if an SSO instance is configured in the Keeper Admin Console, and if users are added to the SSO-provisioned node.

Work Offline mode

We've added the ability to select "Work Offline" mode to login to the Vault without an Internet connection (if allowed by the Enterprise Admin). Work Offline is only available to business customers.

Work Offline

Switching back to Online mode is accomplished by clicking "Go Online" at the upper right.

Go Online

Support for Keeper SSO Connect Cloud™

The Keeper Login API supports our upcoming 100% cloud-based integration with SSO identity providers such as Office365/Azure, Okta, JumpCloud, ADFS, Ping Identity, OneLogin and any other SAML 2.0 compatible identity provider. We call this Keeper SSO Connect Cloud™. More information about SSO Connect Cloud and General Availability can be found here: https://docs.keeper.io/sso-connect-cloud/

Reduced reliance on the Master Password

The new Login API improves the use of session tokens stored dynamically in memory with server-controlled state instead of requiring the user's Master Password locally for deriving authentication hashes. This fundamental change opens up opportunities for future enhanced usability features such as:

  • Multi-device session management

  • Session resumption (e.g. staying logged in between browser and computer restarts)

  • Cross-device linkage (e.g. logging into Desktop App and Browser Extensions simultaneously)

  • Reducing the reliance on the Master Password for session management, session resumption and session re-authentication.

Support for Elliptic Curve Cryptography

SSO Connect Cloud takes advantage of client-side generated ECC (Elliptic Curve Cryptography) private/public key pairs for seamless integration with SSO identity providers while maintaining Zero Knowledge. Additional security information regarding SSO Connect Cloud is available at the below link: https://docs.keeper.io/sso-connect-cloud/security-and-user-flow

User Experience

The sequence of steps is shown below with flow diagrams. The user's path depends on whether they are using an SSO / SAML system (also called an Identity Provider or IdP). Examples include Okta and Microsoft Azure and Keeper supports many others. When an SSO is in use by an organization the user's don’t have a separate Master Password for Keeper. Instead, they use the SSO credentials to gain access to their vault.

Account Creation Flow

Login Flow (for existing accounts)

Future Capabilities

The latest Keeper Login API unlocks several highly requested usability features and capabilities that the Keeper team will be launching this year. Examples include:

  • Seamless Multi-Vault Switching

  • Staying Logged In between browser and computer restarts

  • Linking devices for login and logout (such as Desktop App and Browser Extension)

Planned Rollout and Backwards Compatibility

On September 3, 2020, Keeper rolled out the latest Login API capability initially on the Web Vault and Admin Console. Desktop App, Browser Extensions, iOS and Android applications will be rolled out at the end of September.

To ensure compatibility across devices and platforms, the Vault and Admin Console will support both V2 and V3 users. However, a user who signs up with SSO Cloud (which is only supported in V3) will not be able to login on the Browser Extensions, iOS or Android until the rollout of those platforms.

Keeper will continue to maintain backwards compatibility with the existing V2 Login API for several months, until all devices and users have had the opportunity to migrate.

FAQs

Q: I'm not able to login A: If you're having issues logging in, please try the following: 1. Make sure you are loading the latest Web Vault or Admin Console by hard-refreshing the web page (shift+reload or clear cache) 2. Ensure you are logging into Keeper from the correct data center. For example: Vault / US Data Center: https://keepersecurity.com/vault Vault / EU Data Center: https://keepersecurity.eu/vault

Console / US Data Center: https://keepersecurity.com/console Console / EU Data Center: https://keepersecurity.eu/console If you try to login to the wrong data center, you may receive emails or errors that your account does not exist. Q: I'm being routed to my identity provider at the login screen but I don't want to use SSO. A: If your user account is located in the Admin Console in a node that is configured for SSO, you will be routed to login with SSO from the Keeper login screen. 1. If you have an unused or mis-configured SSO node in Keeper, this could cause users to be redirected. Contact Enterprise Support and we can help you resolve this. 2. To login with an SSO Master Password on the Web Vault, click on "Enterprise SSO Login" and then "Master Password Login". This screen will allow you to login with the SSO Master Password (if permitted by your Role policy, and if this has been set prior).

Q: Is 2FA before Master Password allowing enumeration of user accounts? A: No. Only approved devices and external IP addresses (if IP-based device approval is enabled) are able to proceed to the login step.

Q: Is someone from the outside able to try and login to an account and spam them with 2FA codes? A: No. Only approved devices and external IP addresses (if IP-based device approval is enabled) are able to proceed to the login step and request a 2FA code. Keeper's device approvals can also be performed using a 2FA method, but we do not disclose the method to the user, and there is no indication of account existence.

Q: How do I turn off IP-based device approvals? A: From the Keeper Vault settings > Security screen, turn off automatic IP approvals.

Q: What is the security implication of putting 2FA before Master Password? A: Only approved devices are able to attempt login. An approved device must then pass a 2FA step, prior to being able to test a Master Password. Extremely secure services such as Amazon AWS also implements a similar flow with regards to Password and 2FA. Preventing password testing and user enumeration is a very secure methodology. We are confident that users will quickly adapt to the new flow.

Q: How do I test the new login flow as an outsider? A: To understand how the new login flow looks to an outsider, simply open the vault on a new unrecognized device and network that has not been used by your account, or your Enterprise account. For example, connect to a cellular wireless network and open an incognito browser window on your device.

Need Help?

Monitor system status and register for real-time alerts here: https://statuspage.keeper.io/ If you need assistance please contact: business.support@keepersecurity.com Or open a ticket on our support page: https://www.keepersecurity.com/support.html