At Keeper Security, product innovation is the cornerstone of our mission to empower our customers to protect their credentials, secrets and connections, and to reduce the
Keeper Security continually invests in new, more robust technologies to counter emerging threats. That’s why Keeper is upgrading our account recovery process via a new and more secure 24-word “recovery phrase” feature, replacing the current user-customizable security question-and-answer recovery method.
What are Recovery Phrases?
A 24-word recovery phrase is a break-glass method of recovering your Keeper Vault if you forget your master password. As long as you have your recovery phrase, you can always regain access to your Keeper Vault.
Keeper has implemented recovery phrases using the same BIP39-word list used to protect crypto wallets. The word list in BIP39 is a set of 2,048 words used to generate an encryption key with 256 bits of entropy. Each word in the BIP39 list is carefully selected to improve visibility and make the recovery process less error-prone.
What Does This Mean for Keeper Users?
Users with security questions enabled on their vaults will be prompted to replace their security answer with a strong 24-word recovery phrase that is generated by Keeper. Users should store this recovery phrase in a safe place such as a physical safe.
Note: This only replaces your security answer in case you forget your master password. This does not replace your master password, fingerprint or Face ID. Keeper will generate the recovery phrase for you when you log in to your vault. If you don’t want a recovery phrase, you can skip it; however, this means that if you forget your master password you won’t be able to recover your account. Creating a recovery phrase is an opt-in change, which means that Keeper will remind you to make this change periodically, but it’s up to you whether or not you proceed.
The 24-word recovery phrase generates a unique 256-bit AES key that encrypts a copy of the user’s 256-bit AES data key. The data key decrypts each record key, which then decrypts each vault record. To recover the account and reset the master password, users must have the recovery phrase and provide an email verification code. Users with Multi-Factor Authentication (MFA) enforced must also pass the MFA step.

Keeper administrators for business and enterprise accounts can disable account recovery for their users in the role enforcement policy section of the Keeper Admin Console. If enforced by the Keeper administrator, account recovery can be used even with SSO-enabled accounts.
Important: If you forget your master password and lose your recovery phrase, you cannot access your Keeper Vault. Due to Keeper’s zero-knowledge architecture, the Keeper team cannot help recover a lost recovery phrase.
Please ensure that all of your Keeper applications are up to date to utilize this new capability.
If you have any questions regarding this new account recovery method, please don’t hesitate to contact our support team.