Authentication Flow V3
Version 3 of Keeper’s login and authentication flow: Advanced Authentication and Vault Security
Vault Login Screen
Keeper's engineering team is continuously improving the security and capabilities of the Vault Authentication system in step with the evolving security landscape and the requirements of our customers.
In 2020, we launched a major security advancement for our Zero-Knowledge authentication system, called Login API version 3. The Login API provides additional security and usability benefits for current features, and it opens up opportunities for new and exciting features in the future.
The new features and usability improvements included in the latest release of Login API are the following:
The login screen is simplified to start with Email Address or you can select Enterprise SSO Login.
New Login Screen
For SSO users: If the email domain of the user is recognized as an SSO-enabled account, your users will be automatically routed to the identity provider instead of having to type in the Enterprise Domain string. Note that automatic routing is performed only if JIT (Just-In-Time) provisioning is enabled on the SSO node.
"Enterprise SSO Login" is still available for existing SSO users who login through the "Enterprise Domain" name.
"Master Password Login" is the login path for SSO users who created their alternate Master Password in the vault. This feature (SSO Master Password) must be activated by the Keeper Administrator in role policies.
For Master Password users: If the device is recognized and 2FA is activated, users will receive the prompt before typing the Master Password. Attempts to login with a Master Password will be denied until the user passes the 2FA step.
NOTE: Only users with recognized devices will be offered to perform the 2FA step. An unauthorized device will not be prompted for 2FA. Keeper does not disclose the existence of a user account unless the device is approved and recognized.
Note: The user experience is slightly different with this new method. Users will be prompted for their 2FA method prior to the Master Password step.
Keeper's device verification is a critical security feature that prevents a user from loading a vault unless the device has been approved. A device can be "approved" to perform a login attempt based on one of the following criteria:
- User has previously approved the device for login
- User's recognized WAN IP address (controlled under Settings > Security > Auto-Approve Devices from Recognized IP) *
- User is part of an Enterprise on a previously approved device by a member of their team
- User has logged in successfully to the SAML Identity Provider
- User enters a 2FA code from their registered device.
Attempts to perform login are denied until a device approval takes place.
After device verification is performed, a Keeper user with 2FA activated must pass the 2FA verification step prior to making a Master Password login attempt. After device approval and 2FA, the user proceeds to Master Password login. By placing device approval and 2FA verification prior to Master Password entry, users are protected against unauthorized login attempts or password testing attempts. Further, password attempts are limited to 10 attempts after which authentication attempts are throttled.
(*) IP Address approval only works for users with Master Password login. Users who login with SSO Connect Cloud must perform a Keeper Push or Admin Approval on all new devices.
Additional Device Verification Methods A user cannot attempt to login to an account without a device verification step. Now, device verification can be performed using several new methods including:
- Email verification code
- 2FA code entry from a TOTP or text message
- Sending a Keeper Push™ message to recognized devices
Controlling Automatic IP Device Approval
IP Address device approval is user-controlled from the Vault under Settings > Security > Auto-Approve Devices from Recognized IP Address(es).
New Security Features
Introduction of Keeper Push™ for Device Approval
Introducing a new Device Approval system via a proprietary notification-based system called Keeper Push. By default, users are asked to approve an unrecognized device using an email. If email is not available, there are several new options.
Device Approval Methods
Email, Keeper Push and 2FA Approval Methods
- For users who login with a Master Password, Keeper Push can be used for approving new devices instead of relying on email.
- For Enterprise users who login with the new SSO Connect Cloud™ capability, Keeper Push allows secure device authorization and private key transfer between the user's devices. Keeper Push provides zero knowledge encryption on the device while giving users the seamless integration with existing identity providers.
- Keeper Push also provides Enterprise SSO users to request new device approval from a Keeper Administrator, if the user has lost access to all of their other devices. The Keeper Administrator can then approve the device from the Admin Console.
- Keeper Push approvals can only be accepted on a device where a user is actively logged into a Keeper account.
Master Password Login with Keeper Push:
SSO Login with Keeper Push:
Reducing the need for Enterprise users to remember their "SSO Domain"
Users can now simply type in their email address and Keeper will route them to their appropriate identity provider. This was a highly requested feature by Enterprise customers. For security reasons, Keeper routes to the IdP based on the domain name, not the individual user email.
Automatic routing of users to the identity provider will occur by default if an SSO instance is configured in the Keeper Admin Console with Just-In-Time (JIT) provisioning, and if users are added to the SSO-provisioned node.
Work Offline mode
We've added the ability to select "Work Offline" mode to login to the Vault without an Internet connection (if allowed by the Enterprise Admin). Work Offline is only available to business customers.
Switching back to Online mode is accomplished by clicking "Go Online" at the upper right.
Support for Keeper SSO Connect Cloud™
The Keeper Login API supports 100% cloud-based integration with SSO identity providers such as Office365/Azure, Okta, JumpCloud, ADFS, Google Workspace, Ping Identity, OneLogin and any other SAML 2.0 compatible identity provider. We call this Keeper SSO Connect Cloud™. More information about SSO Connect Cloud and General Availability can be found here: https://docs.keeper.io/sso-connect-cloud/
Reduced reliance on the Master Password
The new Login API improves the use of session tokens stored dynamically in memory with server-controlled state instead of requiring the user's Master Password locally for deriving authentication hashes. This fundamental change opens up opportunities for usability features such as:
- Multi-device session management
- Session resumption ("Stay Logged In") between browser and computer restarts
- Cross-device linkage (e.g. logging into Desktop App and Browser Extensions simultaneously)
- Reducing the reliance on the Master Password for session management, session resumption and session re-authentication.
Support for Elliptic Curve Cryptography
SSO Connect Cloud takes advantage of client-side generated ECC (Elliptic Curve Cryptography) private/public key pairs for seamless integration with SSO identity providers while maintaining Zero Knowledge. Additional security information regarding SSO Connect Cloud is available at the below link: https://docs.keeper.io/sso-connect-cloud/security-and-user-flow
The sequence of steps is shown below with flow diagrams. The user's path depends on whether they are using an SSO / SAML system (also called an Identity Provider or IdP). Examples include Okta and Microsoft Azure and Keeper supports many others. When an SSO is in use by an organization the user's don’t have a separate Master Password for Keeper. Instead, they use the SSO credentials to gain access to their vault.
Q: I'm not able to login A: If you're having issues logging in, please try the following: 1. Make sure you are loading the latest Web Vault or Admin Console by hard-refreshing the web page (shift+reload or clear cache) 2. Ensure you are logging into Keeper from the correct data center. For example: Vault / US Data Center: https://keepersecurity.com/vault Vault / US GovCloud Data Center: https://govcloud.keepersecurity.us/vault Vault / EU Data Center: https://keepersecurity.eu/vault Vault / AU Data Canter: https://keepersecurity.com.au/vault Vault / CA Data Canter: https://keepersecurity.ca/vault Vault / JP Data Canter: https://keepersecurity.jp/vault
Console / US Data Center: https://keepersecurity.com/console Console / US GovCloud Data Center: https://govcloud.keepersecurity.us/console Console / EU Data Center: https://keepersecurity.eu/console Console / AU Data Center: https://keepersecurity.com.au/console Console / CA Data Center: https://keepersecurity.ca/console Console / JP Data Center: https://keepersecurity.jp/console If you try to login to the wrong data center, you may receive emails or errors that your account does not exist. Q: I'm being routed to my identity provider at the login screen but I don't want to use SSO. A: If your user account is located in the Admin Console in a node that is configured for SSO, you will be routed to login with SSO from the Keeper login screen. 1. If you have an unused or mis-configured SSO node in Keeper, this could cause users to be redirected. Contact Enterprise Support and we can help you resolve this. 2. To login with an SSO Master Password on the Web Vault, click on "Enterprise SSO Login" and then "Master Password Login". This screen will allow you to login with the SSO Master Password (if permitted by your Role policy, and if this has been set prior).
Q: Is 2FA before Master Password allowing enumeration of user accounts? A: No. Only approved devices and external IP addresses (if IP-based device approval is enabled) are able to proceed to the login step.
Q: Is someone from the outside able to try and login to an account and spam them with 2FA codes? A: No. Only approved devices and external IP addresses (if IP-based device approval is enabled) are able to proceed to the login step and request a 2FA code. Keeper's device approvals can also be performed using a 2FA method, but we do not disclose the method to the user, and there is no indication of account existence.
Q: How do I turn off IP-based device approvals? A: From the Keeper Vault settings > Security screen, turn off automatic IP approvals.
Q: What is the security implication of putting 2FA before Master Password? A: Only approved devices are able to attempt login. An approved device must then pass a 2FA step, prior to being able to test a Master Password. Extremely secure services such as Amazon AWS also implements a similar flow with regards to Password and 2FA. Preventing password testing and user enumeration is a very secure methodology. We are confident that users will quickly adapt to the new flow.
Q: How do I test the new login flow as an outsider? A: To understand how the new login flow looks to an outsider, simply open the vault on a new unrecognized device and network that has not been used by your account, or your Enterprise account. For example, connect to a cellular wireless network and open an incognito browser window on your device.