Over the past decade, cloud computing, mobility, and the Internet of Things rendered the concept of the enterprise network perimeter moot. In 2020, the COVID-19 pandemic did something quite similar to the concept of the office environment. Workplaces don’t necessarily involve on-premise offices and desks anymore; workforces are distributed between employer locations and remote settings.
With remote employees using a combination of employer-provided and personal devices to log in to enterprise networks and apps, a speedy, efficient, and secure authentication process is more important than ever. To help employers maintain security while making it as easy as possible for their employees to log in and get to work, Keeper has launched a new authentication flow for our customers with enterprise plans that simplifies deployment and usability while enhancing security.
New Login Flow for SSO Users
Keeper’s new login flow simplifies deployment and makes it easier for SSO users to roll out Keeper to their end-users. If Keeper recognizes an end user’s email domain as an SSO-enabled Enterprise, the user will be automatically routed to their identity provider instead of having to type in the Enterprise Domain string. When combined with SCIM auto-provisioning or Just-In-Time (JIT) provisioning, onboarding new users is fast and secure.
New Login Flow for Master Password Users
Keeper has also enhanced the login process for Master Password users who have activated multi-factor authentication (2FA). For Master Password users, if a device is recognized, and 2FA is activated, the user will receive a prompt prior to typing in their Master Password. Attempts to login with a Master Password will be denied until the user passes the device verification and 2FA step. Only users with recognized devices will be asked to perform the 2FA step; users attempting access with unauthorized devices will not be prompted for 2FA.
Simplified Device Approval with Keeper Push™
Keeper Push, Keeper’s proprietary notification-based device approval system, simplifies the device approval process without compromising security. By default, users are asked to approve an unrecognized device using email. Keeper will now support 2FA code entry from a TOTP or text message, or a push notification to an existing, recognized device.
For users who log in with the new Keeper SSO Connect™ Cloud option, Keeper Push allows secure device authorization and private key transfer between the user’s devices. Keeper Push provides zero-knowledge encryption on the device while giving users seamless integration with existing SSO identity providers.
For Master Password users, Keeper Push can be used for approving new devices instead of relying on email.
Please note that Keeper Push is currently only available on the Web Vault, with support on iOS, Android and Keeper Desktop platforms scheduled to be rolled out in a few weeks.
Work Offline mode
Previously, Work Offline mode activated only when Keeper detected that a user was offline. Now, users can activate it themselves and login to their Vault without an internet connection. Please note that Work Offline is only available to business customers whose plans have Enterprise Admin enabled.
Support for Keeper SSO Connect™ Cloud
Keeper’s new enterprise authentication flow supports our 100% cloud-based integration with SSO identity providers such as Office365/Azure, Okta, JumpCloud, ADFS, Ping Identity, OneLogin, and all other SAML 2.0-compatible identity providers. Keeper SSO Connect™ Cloud is being rolled out across platforms during September. Please refer to the Keeper SSO Connect™ Cloud availability page for more details.
Reduced Reliance on Master Passwords
Keeper now supports the use of session tokens stored dynamically in memory with server-controlled state, instead of requiring the user’s Master Password locally for deriving authentication hashes. This reduces the reliance on Master Password and unlocks future capabilities such as cross-device login, session persistence between browser restarts and multi-vault switching.
Support for Elliptic Curve Cryptography
Keeper’s new SSO Connect™ Cloud feature takes advantage of client-side generated ECC (Elliptic Curve Cryptography) private/public key pairs for seamless, secure integration with SSO identity providers. By using device-level ECC keys to protect user vaults, Keeper maintains zero-knowledge while offering a full, cloud-based SSO integration.