Keeper has introduced a new way to recover access to your vault should you forget your master password. The irony is, however, that your memory had better be pretty good, since you now need to remember a 24-word phrase to get them back.
The new method replaces the typical security question and answer recovery method, which user's could customize to be whatever they liked - handy if typical suggestions such as your first pet's name don't apply to you.
In explaining the encryption process, Keeper says that, "the recovery phrase generates a unique 256-bit AES key that decrypts a copy of the user's 256-bit AES data key. The data key then decrypts each individual record key, which in turn decrypts each vault record."
BIP39
The new recovery phrase relies on the BIP39 system, which is used to protect crypto wallets, and utilizes a string of random words to generate encryption keys. There are 2048 words in the list which have been "carefully selected to improve visibility and make the recovery process less error-prone."
From this list, 24 random words are generated when you set your recovery phrase in Keeper. The company has said that users who already have security questions set up as their recovery method will be prompted to change it to the new 24-word phrase.
As committing this phrase to memory is unlikely, Keeper says: "It is important for users to store this recovery phrase in a safe place such as a physical safe, and not on a computer, phone or other device."
In the event that users need to reset their master password, then they will have to use this new 24-word recovery phrase in addition to an email verification code. Those with 2FA enabled will also need to provide the codes generated on their secondary device, usually via an authenticator app.
As expected of the best password manager for mid-sized businesses, Keeper enterprise and business customers have a greater degree of control. Administrators on these plans can disable account recovery as an option for users in their organization in the role enforcement policy section of the Keeper Admin Console. Administrators can enable account recovery on SSO-enabled accounts.
Keeper cautions that as it employs a zero-knowledge policy, if a user forgets both their master password and recovery phrase, then they will be locked out of their account for good, as Keeper cannot recover them for you.
- Keeper also made it onto our list of the best business password managers