Product Announcements 
According to the 2024 Verizon Data Breach Investigations Report, 75% of cyber attacks involve exploiting compromised privileged credentials, making privileged access one of the most sought-after
While support for hardware security keys is not new to Keeper, historically users were required to have a backup Two-Factor Authentication (2FA) option in addition to using a security key. Keeper is excited to announce support for user authentication leveraging only a hardware security key as the 2FA method, without requiring a backup option.
Consumers and business users alike can use a security key as their only 2FA method with the instructions to set it up outlined below. Existing users can log in to the Keeper Web Vault or Keeper Desktop App and remove other methods of 2FA if they prefer to only use the security key method. Keeper allows users to have multiple security keys, providing users with backup keys, in case one is lost. If all keys are lost, business customers can contact their Keeper administrators for help.
How to Set Up Security Keys With Keeper
Inside the Keeper Vault, administrators can enforce rules that require users to leverage security keys as their only two-factor authentication method from the vault Settings screen. To add a security key, select Setup in the Security Keys section. Additionally, administrators are able to require their users to have a PIN along with the security key, further protecting their vaults.
Upon logging into their Keeper Vault, users will be presented with the following screen, prompting them to set up two-factor authentication.
To configure a security key, users will follow the steps outlined in the vault.
Users will need to insert their security key into a USB port, provide a name for the security key and select Register.
After naming, some devices will require the user to touch the button on the security key to finalize setup. At this point, the security key will be associated with the Keeper user and be required for login.
If the administrator did not enforce a PIN requirement, users can toggle that option on for themselves in their vault settings. Consumer users can choose whether or not they wish to require a PIN using the toggle box in the Associated Security Keys window.
In FIDO2 WebAuthn, administrators have three options for user verification: Discouraged, Preferred and Required.
- Discouraged is the least restrictive option and does not require users to enter a PIN but they will still need to tap their security key to confirm.
- Preferred is the Keeper default setting, which prompts the user to enter their PIN if one has been set up on their security key.
- Required is the most restrictive option and requires users to enter their PIN and mandates the setup of a PIN if one does not already exist.
Keeper supports login on iOS and Android devices with a security key, but setup of a security key as the only 2FA method needs to currently be performed on the Web Vault or Keeper Desktop App. iOS and Android operating systems do not currently support the use of PIN code with FIDO2 keys.
Security key authentication as the only 2FA method is not compatible with Keeper SSO Connect On-Prem. For organizations using Keeper SSO Connect On-Prem who would like to leverage security key authentication exclusively, please get in touch.
For more in-depth technical information, please refer to the release notes.
