Recommended Security Settings
Keeper Administrators hold the encryption keys used to access the Admin Console, provision users, manage enforcement policies and perform day to day user administration.
The "Keeper Administrator" role requires at least two users in that role. We strongly recommend adding a secondary admin to this role in case one account is lost or no longer accessible. Keeper employees cannot elevate a user to an administrative role or reset an administrator's Master Password.
Account Transfer is an optional feature that should be configured by the Keeper Administrator during the initial deployment phase of the Keeper rollout. For step by step details visit the Account Transfer Policy guide.
Reducing the risk of a cybersecurity attack starts with the use of a strong master password for all users who are on-boarded to your Keeper enterprise account. A strong and complex master password is highly recommended as the first step towards reducing unauthorized access to a users vault.
The National Institute of Standards and Technology (NIST) provides password guidelines in: Special Publication 800-63B. The guidelines promote a balance between usability and security; Or in other words, passwords should be easy to remember but hard to guess. The NIST instruction recommends an eight character minimum but a higher value will ultimately result in a harder to guess/crack password.
Password complexity can be configured on a per role-basis. See the master password complexity enforcement setting in the guide.
Two-Factor Authentication (2FA), also commonly referred to as multi-factor authentication, adds an additional layer of security to access the vault. The first layer is something your users know; his or her master password. The second layer is something they have. It can be either their mobile device (SMS text or a TOTP application) or by using a hardware token (Duo or RSA offers hardware tokens. Or adding a security key like a YubiKey or Google Titan key). Adding a second means of authentication will makes it considerably more difficult for an attacker to gain access a users vault. To set up 2FA See the section in the guide: Two-factor Authentication
To prevent users from accessing their work vault outside of approved locations and networks, administrators will want to enable IP Address Allowlisting. This is a role-based enforcement setting that will ensure users can only access their vaults when their device is on an approved network.
Visit the section on IP Allowlisting for more information on configuring roles to include this feature.
Follow the instructions to set up Email Auto-Provisioning as a way to prevent users from creating a a free vault using their organizational email address outside of the enterprise subscription. This on-boarding mechanism will allow you to place users inside of a role to apply enforcement settings at the onset of the creation of their account.
