Device Approvals

To access keeper, each device must first be approved. Devices include your physical devices (computers, phones, tablets, etc) and web browsers.
Device Approvals are a required component of the SSO Connect Cloud platform. Approvals can be performed by users, admins, or automatically using the Keeper Automator service.
Users can approve their additional devices by using a previously approved device. For example, if you are logged into your web vault on your computer already, and logging into your phone app for the first time, you will get a device approval prompt on your web vault with the mobile device's information which you can approve or deny.
Device Approvals perform an encryption key exchange that allow a user on a new device to decrypt their vault.

Device Approval Overview

Keeper SSO Connect Cloud™ provides Zero-Knowledge encryption while retaining a seamless login experience with any SAML 2.0 identity provider.
When a user attempts to login on a device that has never been used prior, an Elliptic Curve private/public key pair is generated on the new device. After the user authenticates successfully from their identity provider, a key exchange must take place in order for the user to decrypt the vault on their new device. We call this "Device Approval".
Using Guest, Private or Incognito mode browser modes will identify itself to keeper as a new device each time it is launched, and therefore will require a new device approval.
To preserve Zero Knowledge and ensure that Keeper's servers do not have access to any encryption keys, we developed a Push-based approval system that can be performed by the user or the designated Administrator. Keeper also allows customer to host a service which performs the device approvals and key exchange automatically, without any user interaction.
When logging into a new or unrecognized device, the user has two options:
  • Keeper Push (using their own devices)
  • Admin Approval (request administrator approval)
Or, you can skip this step completely using the Automator service.
Keeper Push - Device Approval

Private Browsing Mode

Web browsers in "Incognito" or "Private Browsing" mode will be treated as a new / unrecognized device and will require device approval every time the browser window is closed.
This could cause confusion for your users if they don't have another device (such as a mobile phone or another computer/browser that is actively being used).
To mitigate confusion, we recommend using one of the automated approval methods as described in the following sections.

Approve Devices Role Permission

A special role permission called "Approve Devices" provides a Keeper Administrator the ability to approve a device.
(1) Go to Roles within the root node or the SSO node
(2) Select the gear icon to control the Admin Permissions for the selected role.
(3) Assign "Approve Devices" permission
Now, any user added to this role is able to login to the Admin Console to perform device approvals.