Two-Factor Authentication

Keeper provides several 2FA options that can be enforced at the role level.

Overview

Two-Factor Authentication (2FA) can be enforced through Keeper's Role-based Enforcement Policies and can also be configured by the end-user directly in their vault. Keeper supports popular methods of 2FA including:

  • SMS/Text Message

  • TOTP generator apps such as Google and Microsoft Authenticator

  • Duo Security

  • RSA SecurID

  • Keeper DNA (using Apple Watch and Android Wear devices)

End-User Setup

Inside their vault, each user is able to individually configure their Two-Factor Authentication settings from their vault Settings screen. Upon creating a new Keeper account, the end-user is also prompted to enable 2FA.

Two-Factor Authentication End-User Setup

Detailed 2FA setup steps for the various platforms can be found in the End-User Guides.

Enforcement Policies

Two-Factor Authentication can be enforced by the Keeper Administrator, and this is controlled at the role level.

The Keeper Administrator can enforce the method of 2FA, how long the tokens stay valid and other related settings. Policies can be enforced at the role-level, so different policies can apply to different sets of users.

Enforcing Two-Factor Authentication

Configuration of Duo and RSA SecurID

Certain 2FA methods such as Duo Security and RSA SecurID, require the Keeper administrator to login to the Admin Console and perform up-front configuration. To access the Two-Factor Authentication configuration, navigate to the 2FA tab in the Keeper Admin Console for the selected Node. 2FA methods and token retention behavior can also be enforced from the Role Enforcement policy screen. Role enforcement policies can enforce the use of 2FA channels on the specific node. Therefore, different nodes can be provisioned with different 2FA methods.

Supported 2FA Methods

Set-up Two-Factor Authentication method of your choice directly from your vault. Click your account email address in the upper right corner, click Security > Settings then toggle Two-Factor Authentication on. You will then be prompted to select one the 2FA methods discussed below.

Text Message

Keeper supports Text Message (SMS) delivery of two-factor authentication codes. From the list of methods, toggle Text Message "on" then enter your phone number.

SMS / Text Message 2FA Method

TOTP Method

From the list of methods, toggle Google and Microsoft Authenticator (TOTP) "on". Download the Google Authenticator, Microsoft Authenticator or any TOTP-compatible application on your mobile device and add a new entry by scanning the QR Code Keeper provides.

Smartwatch (KeeperDNA)

Keeper DNA uses the connected devices you own to create your unique profile which serves as a second factor to verify your identity and log you in. Keeper supports Apple Watch and Android Wear devices. To enable the Smartwatch (KeeperDNA) method, from your mobile device, tap Settings > Two-Factor Authentication and chose Smartwatch (KeeperDNA) as your method.

RSA SecurID

Keeper's certified backend integration with RSA SecurID can be configured by Keeper's engineering team for your account. To enable RSA SecurID, additional customer integration points are necessary. Please contact your Keeper account manager to initiate this integration at business.support@keepersecurity.com.

DUO Security

Keeper has built a tight integration into the DUO Security API which is fully integrated into all of our device platforms. Both push and SMS methods are supported. To activate DUO Security, use take the following steps:

  1. Login to Duo.com and create an account (or login if you already have an account).

  2. Select Applications from the left menu.

  3. Select Protect An Application to display a list of applications, then select Keeper Security from the list.

  4. Copy the provided credentials from Duo's site (including the Secret Key which must be selected to view)

  5. Return to Keeper's Admin Console and select the 2FA tab. Select the gear icon under DUO and paste the copied credentials from DUO's site. Toggle the Enable switch "on" and click Save to finish.

DUO 2FA Method Setup

Once activated, each individual user can enroll in DUO by logging into their Keeper app and navigating to their Security Settings and enabling DUO Security. The user is then walked through a process to activate their device.

It is possible that the setup of DUO is initially unsuccessful due to the fact that Keeper uses email addresses and DUO may not be configured to correlate the Keeper email address to a user’s DUO account name. DUO has a helpful knowledge base article discussing how to overcome this: https://help.duo.com/s/article/aliases-guide?language=en_US.

Duo Push 2FA method

Security Keys (FIDO U2F)

Users can protect their Keeper vault with FIDO Universal 2nd Factor (U2F) compatible hardware security keys, including YubiKey and Google Titan keys, which provide secure and easy two-factor authentication (2FA). Security Keys are configured in the Keeper Web Vault or Keeper Desktop App. To activate 2FA using Security Keys, follow the steps below:

  1. Click your account email address in the upper right corner of your vault, then click Security > Settings

  2. Setup and activate a standard 2FA method. This will be used as a backup method when your Security Key is not supported or not available. Google Auth or TOTP should be used a backup method rather than SMS, otherwise you will receive an SMS code every time you login with the Security Key. Keeper recommends using a TOTP (Google Auth or equivalent) generator for two-factor authentication to eliminate the possibility of SIM takeover attacks.

  3. From the previous Security menu, click Setup next to Security Keys.

  4. Follow the on-screen prompts, provide a name for your Security Key and select Register.

  5. If your Security Key has a button or gold disc (e.g. Yubico), press the button to register.

Keeper also supports FIDO U2F for both Chrome and Firefox.

How to enable FIDO U2F in Firefox Quantum:

  • Enter about:config into the Firefox browser.

  • Search for u2f.

  • Double click on security.webauth.u2f to enable U2F support.

U2F Security Key Setup

Storing TOTP Codes in Keeper

The Keeper vault is also capable of storing and managing TOTP / 2FA codes for 3rd party applications.

Keeper TOTP Codes

Storing Two-Factor Codes in the vault has several advantages:

  • Keeper two-factor codes are more secure than using SMS text messages.

  • Two-factor codes stored in Keeper are protected with strong Zero-Knowledge encryption.

  • They can be auto-filled quickly while logging in to a site, saving time and reducing friction.

  • Keeper records are securely backed up so if you lose a device you don’t have to reset all the codes.

  • Keeper records are shareable. If you have multiple people that need to log in with the same credentials, they won’t need to track down the person who has the only device containing the code.