Hardware Security Keys on Mobile

This guide covers everything you need to know about using a hardware security key with Keeper on iOS and Android. It includes setup instructions, PIN behavior, device compatibility, and how to work through common issues.

Supported Hardware Keys

iOS

Keeper works with any FIDO® Certified security key on iOS. For a complete list of certified keys, visit the FIDO® Certified Showcase.

A few things to know before getting started:

• NFC keys are supported on most iPhone models. iPads do not support NFC hardware keys. Only keys that plug in directly (via Lightning or USB-C) will work on iPad.

• NFC keys do not work in KeeperFill, the autofill extension on iOS. See the NFC Keys and KeeperFill section below for a workaround.

• USB-C keys require Keeper version 16.12.0 or later.

iOS Version Compatibility

Android

Keeper supports any FIDO2 certified hardware key on Android. Compatibility may vary depending on the key manufacturer and Google's FIDO library. For a complete list of certified keys, visit the FIDO® Certified Showcase.

A few things to know before getting started:

• Most FIDO2 keys with NFC support will work over NFC on Android.

• If you run into issues with a specific key, try registering it over USB instead of NFC, or register it from the Keeper Web Vault and it will sync to your mobile device.

Setting Up a Security Key

Before adding a security key on either platform, you need at least one other two-factor authentication method already active on your account. This acts as your backup in case the key is unavailable.

On iOS

1. Open the Keeper app and go to Settings > Two-Factor Authentication.

2. Tap Add next to "Security Keys", then tap + Add Key.

3. Give your key a name and tap Register.

4. Follow the on-screen prompt. Either plug your key in or tap it against the back of your iPhone.

5. If your key has a PIN, you will be prompted to enter it.

6. When registration is complete, tap OK on the confirmation screen.

On Android

1. Open the Keeper app and go to Settings > Two-Factor Authentication.

2. Tap Add next to "Security Keys", then tap + Add Key.

3. Enter a name for your key and tap Register.

4. Select NFC Security key or USB Security key from the list of options.

5. Hold your key flat against the back of your device (for NFC) or insert it into the USB-C port.

6. Keep the key in place until the app confirms registration on screen.

Login Frequency

How often you are asked to use your security key depends on your two-factor authentication frequency setting.

• Every Login: your key is required every time you open Keeper and log in.

• Every 12 Hours: your key is required once every 12 hours.

• Every 24 Hours: your key is required once every 24 hours.

• Every 30 Days: your key is required once every 30 days.

• Don't ask again on this device: your key is only required once per device.

You can change this at any time in Settings > Two-Factor Authentication > 2FA Frequency.

PINs and Hardware Security Keys

You can set a PIN on your hardware security key using the manufacturer's software, such as Yubico Authenticator. A PIN adds an extra layer of protection if your key is ever lost or stolen, but it is optional.

On iOS: If a PIN is set on your key, iOS will ask you to enter it every time the key is used. There is no way to skip the PIN prompt; this is enforced at the iOS system level.

On Android: PIN behavior can vary depending on your device manufacturer. If you are running into problems during setup or login, try registering the key without a PIN first to rule out PIN-related compatibility issues.

iPad and Hardware Security Keys

Hardware security keys do work on iPad, with one important limitation: no iPad model supports NFC. Only keys that physically connect to your device will work:

• Lightning connector keys for older iPad models

• USB-C keys for newer iPad models (requires Keeper 16.12.0 or later)

Combination keys that support both NFC and plug-in, like the YubiKey 5C NFC, are compatible with iPad via the plug-in connection only.

Known Issues

NFC Not Working on New YubiKeys (Firmware 5.7+)

Affects: YubiKeys with firmware 5.7.0 or newer, on both iOS and Android

Starting with firmware 5.7, all new NFC-capable YubiKeys ship with NFC intentionally disabled. This is a Yubico security measure called Restricted NFC, designed to prevent tampering while the key is still in packaging.

When you tap one of these keys against your phone for the first time, your browser may open to a Yubico setup page (yubico.com/getting-started) instead of completing the registration. This means NFC has not been activated yet.

To activate NFC on a firmware 5.7+ YubiKey:

Plug your key into any USB port (a computer, charger, or USB hub) and leave it connected for about 3 seconds. You only need to do this once, and NFC will work normally from that point on.

YubiKey NFC Registration Fails on Android (Error code 28)

Affects: Android, YubiKey firmware 5.7.1 specifically

Some users with a YubiKey running firmware version 5.7.1 see the following error when trying to register the key over NFC on Android:

"Something went wrong with your Security Key, please try again. (Error code 28)"

The error typically appears at the very end of the registration process, sometimes right after a screen that says the registration was successful. Keys running firmware 5.4.3 and 5.7.4 register without issue. This appears to be specific to firmware 5.7.1.

Workarounds:

1. Register using USB instead. Connect your YubiKey to your Android device via USB-C and select the plug-in option during registration. Once registered over USB, the key can typically be used over NFC for logins going forward.

2. Register using the Web Vault. Log in to your vault from a desktop browser (Chrome or Edge) and add the key from there. Once added to your account, it will be available on your mobile device.

3. Register a different key first. If you have access to another YubiKey on firmware 5.4.3 or 5.7.4 or newer, registering that key over NFC first and then retrying your 5.7.1 key has resolved the issue for some users.

NFC Keys and KeeperFill on iOS

Affects: iOS, NFC hardware keys

NFC hardware keys do not work with the KeeperFill autofill extension on iOS. This is a system-level limitation. iOS does not allow third-party extensions to initiate NFC key interactions.

Workaround: Enable Stay Logged In in the Keeper app settings. With this on, your session stays active and KeeperFill can fill your credentials without needing to re-authenticate with your hardware key each time.

Long-Tap Autofill and Hardware Security Keys on iOS

Affects: iOS 18 and later

iOS 18 introduced a long-tap autofill feature that lets you fill saved credentials into apps and websites directly from your password manager. When your Keeper account is protected by a hardware security key, this flow will not complete as expected. The system needs to interact with the hardware key, which is not compatible with how long-tap autofill works.

Workaround:

1. Enable Stay Logged In in the Keeper app settings.

2. Log in to the main Keeper app on your device first.

3. You can then use the long-tap autofill feature as normal.

YubiKey FIDO PIN Loop on iOS

Affects: iOS 18.1 and iPadOS 18.1, resolved in iOS 18.2

Users on iOS or iPadOS 18.1 with a YubiKey running firmware 5.7 could get stuck in a PIN loop. The key would accept the PIN and then immediately ask for it again, preventing login from completing.

Apple resolved this issue in iOS 18.2 and iPadOS 18.2. Update your device via Settings > General > Software Update to resolve this.

If you continue to experience issues after updating, try removing your security key from your account and re-registering it. For additional details, visit Yubico's support page.

Helpful Links

• Check your YubiKey firmware version: Yubico Authenticator

• Full list of FIDO Certified keys: FIDO® Certified Showcase

• Contact Keeper support: keepersecurity.com/support.html