Vault Offline Access

Offline access is a common use case for organizations who require vault access in poor network conditions or when SSO is unavailable.

Overview

Offline Mode allows users access to their vaults from any device when they are not able to connect online to Keeper or to their SSO Identity Provider. Offline access is available for Keeper Web, Desktop, iOS and Android Mobile Apps.

This capability works by making a copy of your encrypted vault to your local device. The vault ciphertext is stored in an encrypted format which is only accessible if the user provides their Master Password or biometric authentication. Offline access also works with multiple accounts on the same device.

Offline Authentication Methods

Master Password
Biometrics

Platforms That Support Offline Access

Platform

Version

Desktop

Keeper Desktop App (Mac, Windows, Linux)

Web Browser

Web Vault (Chrome, Safari, Firefox, Edge)

Mobile (Conditional Access on iOS)

iOS | Android

Mobile - Conditional Offline Access:

Offline mode is available as long as there are no enforcements or specific 2FA settings that directly prevent it. See Troubleshooting for scenarios that affect offline access via your mobile device.

Work Offline With an SSO Enabled Account

If your organization's SSO is not available (e.g. is offline), click Work Offline in the lower right corner of your screen then click the Enterprise SSO Login dropdown and select Master Password to gain access to your vault offline.

From the login screen, enter your Master Password as usual to login offline.

For users who normally login with SSO and do not also have a master password setup, you must first configure one in order to login to Keeper when offline. Simply visit your vault Settings Menu and clicking Setup next to "Master Password".

This feature can be activated by the Keeper Administrator from the Keeper Admin Console. The role enforcement policies are documented here.

Offline Setup

To access Offline Mode, your device will need to be “primed” with a local copy of your vault by logging in with an online connection at least once. Moving forward, you will have access to all of the records in your vault and you can create new records and edit existing records, all without requiring a network connection.

Users can confirm their Keeper Vault is available offline via a lightning bolt icon or "Available Offline" text which indicates your vault data has been loaded onto that device. If the availability indicator is not present, you will need to login to your vault at least once while online.

Enable Offline Access

Web Vault & Desktop App

By default, Offline Access will be turned off. To allow Offline Access, click on your email address in the upper-right corner of your vault home screen and select Settings > Security. Next click the dropdown menu next to "Allow Offline Access". You will then be asked to re-authenticate to Keeper in order to proceed.

Once you've entered your master password, you can choose for how long you would like Offline Access to be available (Always, 30 days, 14 days, 7 days or 1 day).

Android

To allow Offline Access on your Android device, navigate to Keeper's Settings menu (Settings are located under your Avatar in the upper right corner of the app).

Next, tap Allow Offline Access and choose your preferred offline duration (Always, 30 Days, 14 Days, 7 Days, or 1 Day). Lastly re-authenticate to Keeper when prompted.

2FA and Offline Mode

If 2FA is enabled on your account, a warning will appear informing you that 2FA will be bypassed when accessing your vault in Offline Mode. This ensures that users are aware of the potential reduction in security when accessing the vault offline.

Re-authentication for Offline Access Changes

You will be required to re-authenticate whenever you toggle the offline access on, including selecting a specific offline duration (e.g., Always Allowed or 30 Days). No re-authentication is needed when changing between the available "on" options (e.g., from 30 days to 14 days).

Work Offline

To activate Offline Mode from the vault login screen or from within your vault on Keeper Web or Desktop, click on the Work Offline button in the lower right corner of your screen. On iOS and Android, Offline Mode will automatically be initiated when logging in if you aren't connected to the internet.

The "Offline Mode" indicator will appear at that top of your vault window.

You can resume a session online at anytime (provided you have a stable network connection) by clicking Go Online in the upper right corner of your vault window.

When biometrics (Touch ID, Windows Hello) have been activated on an account from the Keeper Desktop application, you can use this to authenticate offline instead of a Master Password.

To log in offline with biometrics, first enable it from your account dropdown menu, Settings > Security.

Resuming Online Session

You can resume a session online at anytime (provided you have a stable network connection) by clicking Go Online in the upper right corner of your vault window.

Offline Features

Keeper's offline capabilities are central to a user's ability to retrieve important data even in the poorest of network conditions. Key vault features that are available offline include:

Creating new records
Editing records
Moving records and shortcut creation (Mobile App)
Viewing your Security Audit score
Viewing Deleted Items (Web and Desktop)

A notice will appear if you attempt to perform an action that is not available while offline.

If a device is being used temporarily (e.g. a borrowed PC), then the stored offline vault can be deleted from that device.

From the vault login screen, click the dropdown icon in the email address field, then click the "X" to the right of your email address to delete all offline data associated with that vault from the device. This action can be similarly performed on all Keeper platforms.

When logging in offline on a Web Browser (Chrome, Firefox, Safari, Edge), the user must navigate to the exact URL: US Data Center: https://keepersecurity.com/vault US Public Sector / GovCloud: https://govcloud.keepersecurity.us/vault EU Data Center: https://keepersecurity.eu/vault AU Data Center: https://keepersecurity.com.au/vault CA Data Center: https://keepersecurity.ca/vault JP Data Center: https://keepersecurity.jp/vault

Administrative Guide

Admin Console Interface for Offline Mode

Offline access for users can be enabled or disabled via the Admin Console's Enforcement Policies menu with a simple toggle, by default Offline Access is enabled.

Offline SSO and Master Password

To provide users who normally login with SSO the ability to access their vault in offline mode, the Keeper Administrator can enable the use of a Master Password as a role-based enforcement, this feature is disabled by default.

To enable SSO users the ability to set a Master Password for offline access, turn "on" the Allow users who login with SSO to create a Master Password toggle in the Login Settings section of Enforcement Policies menu.

Considerations for Offline Access

In order have a local repository to access offline the vault needs to have been authenticate and synchronized online first at least once.
Ensure that the Remember Email checkbox is selected at the login screen of the Web Vault.
The data in the vault will be as current as the last data push.
Master Password or Biometrics support offline access.
By definition, Two-Factor Authentication protects cloud-based APIs and online authentication. When users authenticate to their vault, they authenticate both locally and on the server. During offline mode, the user is authenticating locally and decrypting their vault. Therefore, during offline mode, users are not prompted for Two-Factor Authentication.
If 2FA is enforced for every login from role policies or user selection, offline mode will not function on that particular device.

PreviousCompliance Reports NextSecrets Manager

Last updated 1 day ago

Was this helpful?