Two-Factor Authentication

Keeper supports popular methods of Two-Factor Authentication (2FA) including Text Message, TOTP applications such as Google and Microsoft Authenticator, Duo Security, RSA SecurID and Keeper DNA (using Apple Watch and Android Wear devices). Each user is able to individually configure their Two-Factor Authentication settings from their vault Settings screen. Certain 2FA methods such as Duo Security and RSA SecurID require the Keeper administrator to login to the Admin Console and perform up-front configuration. To access the Two-Factor Authentication configuration, visit the 2FA tab of the Keeper Admin Console for the selected Node. 2FA methods and token retention behavior can also be enforced from the Role Enforcement policy screen. Role enforcement policies can enforce the use of 2FA channels on the specific node. Therefore, different nodes can be provisioned with different 2FA methods.

Text Message

Keeper supports Text Message (SMS) delivery of two-factor authentication codes. To select Text Message method, visit the Settings or DNA screens within the Web App or Mobile App.

Google Authenticator (TOTP)

Download the Google Authenticator or any TOTP-compatible application on your mobile device and add a new entry by scanning the barcode Keeper provides.

Smartwatch (KeeperDNA)

Keeper DNA uses the connected devices you own to create your unique profile which serves as a second factor to verify your identity and log you in. Keeper supports Apple Watch and Android Wear devices. To enable Keeper DNA 2FA method, visit Settings > Two-Factor Authentication on your iPhone or Android Keeper app and choose Smartwatch (KeeperDNA) as your method.


To enable RSA SecurID, additional customer integration points are necessary. Please contact your Keeper account manager to initiate this integration at

DUO Security

To activate Duo Security, follow the below steps:

  1. Make an account and login to Select Applications on the left side menu list.

  2. Select Protect An Application to bring up a list of applications. Then select Keeper Security from the list.

  3. Copy the provided credentials from Duo's website (including the Secret Key which needs to be selected to view)

  4. Return to Keeper's admin console and select on the 2FA tab. Select on the gear icon under Duo and paste in the info copied information from Duo's site. Slide the switch to enable and select save.

Once activated, each individual user can enroll in Duo by logging into their Keeper app and going to Keeper's Settings or DNA screen, select One-Time Passcodes (or Two-Factor Authentication) and selecting Duo Security. User is walked through a process to activate their device.

Security Keys (FIDO U2F)

Users can protect their Keeper vault with FIDO Universal 2nd Factor (U2F) compatible hardware security keys, including YubiKey and Google Titan keys, which provides secure and easy two-factor authentication (2FA). Security Keys are configured on the Keeper Web Vault or Keeper Desktop App.

To activate 2FA using Security keys, follow the steps below:

  1. Select More > Settings and then Security tab.

  2. Setup and activate a standard 2FA method. This will be used as a backup method when your Security Key is not supported or not available. Google Auth or TOTP should be used as the fallback method instead of SMS otherwise you will get a SMS code every time you login with the security key. Keeper recommends using a TOTP (Google Auth or equivalent) generator for two-factor authentication to eliminate the possibility of SIM takeover attacks.

  3. Select Setup under the Security Keys section.

  4. Follow the on-screen prompts and give your Security Key a name and select Register.

  5. 5. If your Security Key has a button or gold disc (e.g. Yubico), press the button to register.

Keeper also supports FIDO U2F for both Chrome and Firefox.

How to enable FIDO U2F in Firefox Quantum:

  • Type about:config into the Firefox browser.

  • Search for u2f.

  • Double click on security.webauth.u2f to enable U2F support.