To preserve Zero Knowledge, an Elliptic Curve public/private key pair is generated for each device. The private key on the device encrypts and decrypts the user's vault. Signing into a new device requires a key exchange that is processed by our Keeper Push feature or approved by a designated Admin. Automated admin approvals can be configured in several different ways.