Recommended Security Settings

In order to help lock down your account these are recommended settings.

1. Enforce a strong master password.

Reducing the risk of a cybersecurity attack starts with the use of a strong master password for all users who are on-boarded to your Keeper enterprise account. While many organizations have minimum password complexity rules many do not. Regardless, a strong and complex master password is highly recommended as the first step towards reducing unauthorized access to a users vault.

The National Institute of Standards and Technology (NIST) provides password guidelines in: Special Publication 800-63B. The guidelines promote a balance between usability and security; Or in other words, passwords should be easy to remember but hard to guess. The NIST instruction recommends an eight character minimum but a higher value will ultimately result in a harder to guess/crack password.

Password complexity can be configured on a per role-basis. See the master password complexity enforcement setting in the guide.

2. Mandate the use of Two-Factor Authentication.

Two-factor authentication (2FA), also commonly referred to as multi-factor authentication, adds an additional layer of security to access the vault. The first layer is something your users know; his or her master password. The second layer is something they have. It can be either their mobile device (SMS text or a TOTP application) or by using a hardware token (Duo or RSA offers hardware tokens. Or adding a security key like a YubiKey). Adding a second means of authentication will makes it considerably more difficult for an attacker to gain access a users vault. To set up 2FA See the section in the guide: Two-factor Authentication

3. Configure IP Whitelisting

To prevent users from accessing their work vault outside of approved locations and networks, administrators will want to enable IP Address Whitelisting. This is a role-based enforcement setting that will ensure users can only access their vaults when their device is on an approved network.

Visit the section on IP Whitelisting for more information on configuring roles to include this feature.

4. Set up Email Provisioning

Follow the instructions to set up Email Auto-Provisioning as a way to prevent users from creating a a free vault using their organizational email address outside of the enterprise subscription. This on-boarding mechanism will allow you to place users inside of a role to apply enforcement settings at the onset of the creation of their account.