Two-Factor Authentication

Keeper provides several 2FA options that can be enforced at the role level.

For accessing the user's vault, Keeper supports popular methods of Two-Factor Authentication ("2FA") including:

  • SMS/Text Message

  • TOTP generator apps such as Google and Microsoft Authenticator

  • Duo Security

  • RSA SecurID

  • Keeper DNA (using Apple Watch and Android Wear devices)

2FA can be enforced through Keeper's Role-based Enforcement Policies and can also be configured by the end-user directly in their vault.

End-User Setup

Inside the vault, each user is able to individually configure their Two-Factor Authentication settings from their vault Settings screen. Upon creating a new Vault account, the end-user is also prompted to set up their 2FA settings.

Two-Factor Authentication End-User Setup

Detailed 2FA setup steps for the various platforms can be found in the End-User Guides.

Enforcement Policies

Two-Factor Authentication can be enforced by the Keeper Administrator, and this is controlled at the role level.

The Keeper Administrator can enforce the method of 2FA, how long the tokens stay valid and other related settings. Policies can be enforced at the role-level, so different policies can apply to different sets of users.

Enforcing Two-Factor Authentication

Configuration of Duo and RSA SecurID

Certain 2FA methods such as Duo Security and RSA SecurID require the Keeper administrator to login to the Admin Console and perform up-front configuration. To access the Two-Factor Authentication configuration, visit the 2FA tab of the Keeper Admin Console for the selected Node. 2FA methods and token retention behavior can also be enforced from the Role Enforcement policy screen. Role enforcement policies can enforce the use of 2FA channels on the specific node. Therefore, different nodes can be provisioned with different 2FA methods.

Supported 2FA Methods

Text Message

Keeper supports Text Message (SMS) delivery of two-factor authentication codes. To select Text Message method, visit the Settings screen within the Web App or Mobile App.

SMS / Text Message 2FA Method

TOTP Method

Download the Google Authenticator, Microsoft Authenticator or any TOTP-compatible application on your mobile device and add a new entry by scanning the QR Code Keeper provides.

Smartwatch (KeeperDNA)

Keeper DNA uses the connected devices you own to create your unique profile which serves as a second factor to verify your identity and log you in. Keeper supports Apple Watch and Android Wear devices. To enable Keeper DNA 2FA method, visit Settings > Two-Factor Authentication on your iPhone or Android Keeper app and choose Smartwatch (KeeperDNA) as your method.

RSA SecurID

Keeper's certified backend integration with RSA SecurID can be configured by Keeper's engineering team for your account. To enable RSA SecurID, additional customer integration points are necessary. Please contact your Keeper account manager to initiate this integration at business.support@keepersecurity.com.

DUO Security

Keeper has built a tight integration into the Duo Security API which is fully integrated into all of our device platforms. Push and SMS methods are supported. To activate Duo Security, follow the below steps:

  1. Make an account and login to Duo.com. Select Applications on the left side menu list.

  2. Select Protect An Application to bring up a list of applications. Then select Keeper Security from the list.

  3. Copy the provided credentials from Duo's website (including the Secret Key which needs to be selected to view)

  4. Return to Keeper's admin console and select on the 2FA tab. Select on the gear icon under Duo and paste in the info copied information from Duo's site. Slide the switch to enable and select save.

Duo 2FA Method Setup

Once activated, each individual user can enroll in Duo by logging into their Keeper app and going to Keeper's Settings or DNA screen, select One-Time Passcodes (or Two-Factor Authentication) and selecting Duo Security. User is walked through a process to activate their device.

There could be an issue with DUO where user accounts don't line up correctly between Keeper and DUO. We use email addresses and in DUO it may not be configured to correlate the email address to a user’s account name in DUO. DUO has a Knowledge Base article on how to overcome this: https://help.duo.com/s/article/aliases-guide?language=en_US

Duo Push 2FA method

Security Keys (FIDO U2F)

Users can protect their Keeper vault with FIDO Universal 2nd Factor (U2F) compatible hardware security keys, including YubiKey and Google Titan keys, which provides secure and easy two-factor authentication (2FA). Security Keys are configured on the Keeper Web Vault or Keeper Desktop App.

To activate 2FA using Security keys, follow the steps below:

  1. Select More > Settings and then Security tab.

  2. Setup and activate a standard 2FA method. This will be used as a backup method when your Security Key is not supported or not available. Google Auth or TOTP should be used as the fallback method instead of SMS otherwise you will get a SMS code every time you login with the security key. Keeper recommends using a TOTP (Google Auth or equivalent) generator for two-factor authentication to eliminate the possibility of SIM takeover attacks.

  3. Select Setup under the Security Keys section.

  4. Follow the on-screen prompts and give your Security Key a name and select Register.

  5. If your Security Key has a button or gold disc (e.g. Yubico), press the button to register.

Keeper also supports FIDO U2F for both Chrome and Firefox.

How to enable FIDO U2F in Firefox Quantum:

  • Type about:config into the Firefox browser.

  • Search for u2f.

  • Double click on security.webauth.u2f to enable U2F support.

U2F Security Key Setup

Storing TOTP Codes in Keeper

The Keeper vault is also capable of storing and managing TOTP / 2FA codes for 3rd party applications.

Keeper TOTP Codes

Storing Two-Factor Codes in the vault has several advantages:

  • Keeper two-factor codes are more secure than using SMS text messages.

  • Two-factor codes stored in Keeper are protected with strong Zero-Knowledge encryption.

  • They can be auto-filled quickly while logging in to a site, saving time and reducing friction.

  • Keeper records are securely backed up so if you lose a device you don’t have to reset all the codes.

  • Keeper records are shareable. If you have multiple people that need to log in with the same credentials, they won’t need to track down the person who has the only device containing the code.