We highly recommend Keeper Admin's enable the following security settings.
1. Create Two Keeper Administrators
Keeper Administrators hold the encryption keys used to access the Admin Console, provision users, manage enforcement policies and perform day to day user administration.
The "Keeper Administrator" role requires at least two users in that role. We strongly recommend adding a secondary admin to this role in case one account is lost or no longer accessible. Keeper employees cannot elevate a user to an administrative role or reset an administrator's Master Password.
2. Enable Account Transfer Policy
Account Transfer is an optional feature that should be configured by the Keeper Administrator during the initial deployment phase of the Keeper rollout. For step by step details visit the Account Transfer Policy guide.
3. Enforce a Strong Master Password
Reducing the risk of a cybersecurity attack starts with the use of a strong master password for all users who are on-boarded to your Keeper enterprise account. A strong and complex master password is highly recommended as the first step towards reducing unauthorized access to a users vault.
The National Institute of Standards and Technology (NIST) provides password guidelines in: Special Publication 800-63B. The guidelines promote a balance between usability and security; Or in other words, passwords should be easy to remember but hard to guess. The NIST instruction recommends an eight character minimum but a higher value will ultimately result in a harder to guess/crack password.
Password complexity can be configured on a per role-basis. See the master password complexity enforcement setting in the guide.
4. Mandate the use of Two-Factor Authentication
Two-Factor Authentication (2FA), also commonly referred to as multi-factor authentication (MFA), adds an additional layer of security to access the vault. The first layer is something your users know; his or her master password. The second layer is something they have. It can be either their mobile device (SMS text or a TOTP application) or by using a hardware token (Duo or RSA offers hardware tokens. Or adding a security key like a YubiKey or Google Titan key). Adding a second means of authentication will makes it considerably more difficult for an attacker to gain access a users vault.
Using a role based enforcement can ensure all users of the enterprise are mandated to configure 2FA on their vault account.
SSO enabled users should ensure 2FA is configured with their IdP at a minimum. Keeper checks for a signed login during SSO authentication and prompts for email verification on new devices. For additional security 2FA can be enabled on the Keeper account.
To set up 2FA See the section in the guide: Two-factor Authentication
5. Configure IP Allowlisting
To prevent users from accessing their work vault outside of approved locations and networks, administrators will want to enable IP Address Allowlisting. This is a role-based enforcement setting that will ensure users can only access their vaults when their device is on an approved network.
Visit the section on IP Allowlisting for more information on configuring roles to include this feature.
6. Prevent Installation of Untrusted Extensions
As a general security practice, we recommend that Enterprise customers limit the ability of end-users to install unapproved 3rd party browser extensions. Browser extensions with elevated permissions could have the ability to access any information within any website or browser-based application. Please refer to your device management software to ensure that Keeper is allowed, and unapproved extensions are blocked or removed.
Watch the video below to learn more about hardening your systems.