Enable Account (Vault) Transfer

Configure Account Transfer to support Administrator device approval.

Vault Transfer permission is required for Admin device approvals until Sept 30, 2020. After Sept 30, a new Admin Role Policy specifically designed for Admin Approvals will be launched.

Account Transfer

Account Transfer is an optional feature that should be configured by the Keeper Administrator during the initial deployment phase of the Keeper roll-out. The reason for this is because Account Transfer relies on the sharing of encryption keys between users that have rights to perform the transfer. The exchange of keys occurs when the user logs into their vault to retain Keeper's Zero Knowledge infrastructure. Therefore, the Account Transfer setup must be configured prior to the user's account being transferred. A successful transfer requires that the users had logged in at least once prior to the transfer action.

Account Transfer in Support of SSO Connect Cloud™

When a user is onboarded via SSO Connect Cloud™, a device public/private key pair is generated by the client device. The private key is stored locally and the public key is stored on the Keeper cloud server. The vault's data key is encrypted with the device public key. When a user needs to log into a new device, they can approve from a previously logged in device which will encrypt the data key with the new devices public key and the new device will be able to decrypt it with the device private key. To allow an administrator the ability to perform a device approval (to support a user who has deleted all their devices) having account transferred enable on a role that all SSO users are members of will share the data key to the administrators and support the the exchange of keys for a new device.

Failure to enable Account Transfer may result in an orphaned vault if the last vault instance is deleted without approving access on a new device.

How to Enable Account Transfer

Visit the section in the Enterprise Guide on enabling account transfer: https://docs.keeper.io/enterprise-guide/account-transfer-policy#how-to-enable-account-transfer-functionality

Switching to Dedicated Policy

By Sept 30, 2020, Keeper will introduce a new Administrative Permission that will permit an admin to perform device approvals without requiring Vault Transfer permissions. Stay tuned!