Join our September 20th Live Webinar on the 2017 State of SMB Cybersecurity

by , on

2017 State of SMB Cybersecurity

We are excited to announce a free webinar on September 20th at 1 pm CST for small and mid-sized businesses (SMBs) with exclusive access to research from the 2017 State of SMB Cybersecurity Report. The presentation is chock-full of information on how trends have shifted and concrete recommendations to safeguard your business.

Cybersecurity has become an area of increasing concern for SMBs as costs associated with attacks continue to climb. To help uncover the current state of SMB cybersecurity, Keeper Security teamed up with the Ponemon Institute to survey 1000 SMB IT leaders.

The results unveiled that SMBs are a huge target for hackers and that many businesses are lacking in proper security coverage.

During this webcast, you’ll learn:

1. The single greatest cyber threat your business faces right now.
2. How much a security breach could cost your business.
3. Simple solutions to protect your company, customers and employees.
4. Tips on how to create and manage secure BYOD and IoT policies.

Emceed by Rieva Lesonsky, prolific editor of Small Biz Daily, and co-hosted by Dr. Larry Ponemon, Founder of the Ponemon Institute and Darren Guccione, CEO of Keeper Security, this webinar will arm you with the latest and greatest information you need to create a strong cybersecurity position for your business.

Click here to sign up!

Pssst, Pass The Word: Password Security for Students Is Easy. Help get their school year off to a safe digital start!

by , on

Psst-Pass-the-Word

Summer’s looming end signals the beginning of another school year, which should also heighten parental concerns about their kids’ cyber safety. With near ubiquitous access to everything and anything on the Internet via smartphones, tablets and laptops, students become prime targets for hackers that know these users tend to be more carefree and less security conscious than adult users.

Thus the burden of helping kids maximize security online falls to their parents, to some degree – not unlike in helping children manage other aspects of their lives today. Very often children use networks as well as devices that are shared with parents and caretakers. This makes them fair game for hackers not only seeking to access the kids’ devices, but also gain access to the private data and files of others. This article focuses on a common, highly effective tip and technique for keeping hackers at bay.

Passwords, passwords, passwords

When it comes to helping secure your children’s digital life, so much can be accomplished with some of the simplest techniques, and many of them revolve around proper use and application of passwords. Why? For one thing, the hackers know full well that weak passwords are often the norm. Small wonder then that in one major survey, nearly two-thirds (63%) of confirmed data breaches involve weak, default, or stolen passwords.

The weak password problem is just a problem for consumers either. As shown in yet another major study, nearly six in 10 of companies surveyed have no visibility into employees’ password practices. These include use of unique or strong passwords and sharing of passwords with co-workers. Not only that, but the study also found that even if an organization has password policies, 65% do not strictly enforce them. So it’s small wonder that 60% of employees use the same password for everything.

What all this means is that hackers realize that weak passwords are common everywhere, and therefore they have raised their game at cracking them.

What to do about passwords?
The common wisdom forever has been to make passwords as awkward and cumbersome as you can remember, inserting weird characters, numbers, upper and lower case letters, and so one. But the man who put those recommendations forward a decade ago now has changed his mind, as outlined in this recent article in the Wall Street Journal. He claims now that overly complex passwords can actually limit overall use because people cannot remember them. And certainly a student’s mind, crammed with all sorts of other details, cannot remember any better necessarily.

There is a way parents can intervene to ensure password security without limiting their children’s desire to live digitally 24/7. And that is to download and use a password management system, and then demonstrate its great ease of use to their children before returning to school. Some of the best ones are free of charge for individuals. Other versions are available for nominal charges for entire families.

How do they work?
What do these easy-to-use solutions do and how do they work? A good password manager will create, retrieve, apply and then even keep track of long, complex, highly secure, random and most of all different passwords across all your children’s different accounts, including all their social media accounts. In doing so these password managers not only protect your children, but also in the case of shared networks and devices protect your PINs, credit-card numbers, answers to security questions, and so on. In fact the passwords are so complex and can change so often that cracking them is nearly impossible, or at least so difficult that hackers will likely just move on to easier targets.
All your students have to do is remember one single password, much as they do now. That will unlock the password manager’s ‘vault’ where their unique passwords are kept and taken out when your children log into any online service or site. It literally is that easy.
Using password managers doesn’t mean your children shouldn’t use other measures, such as two-factor authentication, which means they need two different steps to get on line or to access online sites. But they can virtually assure you that our students are safe from the most common of all hacker techniques, namely stealing and compromising passwords in an attempt to unlock a world of trouble, aggravation and even worse on your students.

What else?
There is of course an entirely different range of security measures that parents must ensure once their student children are actually on line, and there is no shortage of excellent articles available discussing specific techniques for doing so. However when so much in terms of student cyber security can be accomplished with such a minimum effort and with such simplicity, downloading and using a password manager may be the single best tip for parents seeking peace of mind as the new school year begins.

Android O Customers Now Have the Support They Need to Autofill Apps with KeeperFill

by , on

android o

Keeper Security is excited to announce the availability of Autofill support for all our Android O (“Oreo”) customers. This means devices with the latest Android 8.0 Oreo in hand can permit Keeper to fill passwords, save passwords and store payment information in native apps.

Autofill remembers your logins and quickly gets you into an app. Here is an example of what it looks like to log into Twitter on your Android phone:

https://blog.keepersecurity.com/wp-content/uploads/2017/08/keeper-autofill-twitter.gif

This new feature not only saves time when logging in and shopping but also provides the strong security Keeper customers rely upon. We have worked closely with Google to integrate KeeperFill with Android O to provide a seamless Autofill experience on all Android mobile phones and tablets.

Here’s how to work with KeeperFill on Android O:

 

  1. From Keeper’s “Settings” screen, turn on KeeperFill. You will be guided through the process of activating Autofill capabilities.

 

  1.  Within any native app, tapping on a login form field (or long-press) will provide you with the Autofill interface.

 

  1. To support the Chrome web browser customers can continue using previous KeeperFill functionality (by tapping on the Keeper lock icon on the right side of the screen) until Android Autofill supports all native web browsers.

 

Keeper for Google Play can be accessed through the following link from your Android phone: https://keepersecurity.com/download. To install the beta, click on the “Beta” signup link within the Google Play listing.

Android O’s latest improvement gives our Android customers the comfort and convenience they need to utilize Keeper’s strong password management platform. Smarter, faster, more powerful and sweeter than ever, the world’s favorite cookie is now your favorite new Android release. Enjoy!

 

7 Security Tips Any Small Business Can Master

by , on

Security Tips

Small businesses are the backbone of the American economy. Unfortunately, they’re also one of the worst cybersecurity risks. Small businesses were the target of 43% of cyberattacks in 2015, up from 18% four years earlier. Many small business owners aren’t computer-savvy and can’t afford the time and expense to hire security professionals, but you don’t have to be a techie to take the following measures, many of which can be implemented by trusted employees, freelancers or even a savvy high school student. They’ll prevent the vast majority of breaches.

  1. Teach Good Password Security Practices

Weak passwords are the most common cause of cyber breaches, and it’s such a simple problem to cure. One technique is to train employees to use mnemonics, such as the first letter of a memorable phrase, combined with some simple letter substitution (“Chicago Cubs Win the World Series at Last!” becomes “CCWtVVS@L!”). Ask employees to change their passwords about every six months. Too-frequent changes can actually encourage people to take shortcuts that increase risk.

A password manager is a great tool for encouraging good password security, since it creates highly secure passwords on demand and stores them so people don’t have to remember anything other than the password for the manager itself. Another effective technique is two-factor authentication (2FA), which backs up a password with a second medium like a texted code or fingerprint. 2FA takes a little more knowledge to set up, but any experienced system administrator will know how.

  1. Buckle Down on Permissions

When setting up a server for a small business, it’s tempting to bypass file- and folder-level security under the assumption that you know and trust everyone in the business. But even if your employees are Boy and Girls Scouts, any hacker who breaches their accounts can run away with your sensitive data. It’s also easy for honest users to mistakenly download or attach privileged information to emails or social media posts.

For your own servers, set all permissions on a “need to know” basis. Use role-based group settings to minimize exceptions. That means senior executives gets one level of access, while accounting clerks get another. After all, there’s no need for all your people to have access to financial documents. Making changes at the group level makes administration simpler and more secure.

  1. Secure Wi-Fi Access Points

Setting up a Wi-Fi access point is so simple that it’s easy to forget that it can create gaping holes in your network if not secured properly. Fortunately, adding good security is pretty easy. Most equipment makers give you several security options when setting up their equipment. WPA2-PSK (AES) is considered the best. Choose strong passwords, just as you would with your own login practices, and don’t post passwords in a public place. It’s also a good idea to avoid broadcasting the access point’s name – also called the SSID. Instead, share the name only with people who need to use it.

  1. Teach People About Phishing

Ransomware, which is the fastest-growing form of malware, is spread primarily through phishing attacks, in which users are fooled into clicking on malicious links or attachments that are disguised to look legitimate. The rules for preventing these attacks are simple: Never click on a link unless you are absolutely sure who of where it came from. Teach people how to check for the email address in the “sender” field. Remember that it’s easy to spoof the name of the sender, but you can’t change the email address. If the email doesn’t come from @paypal.com, it isn’t from PayPal.

  1. Backup to the Cloud

Speaking of ransomware, the most effective antidote to that scourge is frequent backups so you can recover information even after your storage media has been encrypted. Many commercial services offer continual backups at a modest cost, so that you’ll never lose more than a few minutes’ worth of data. They’re easy to install and well worth the price.

  1. Consider Virtual Desktop Infrastructure (VDI)

If you want to bypass the risk of viruses or phishing attacks entirely, consider this technology, which stores desktops remotely on a server and downloads them when users log on. VDI used to have the reputation of being slow and inflexible, but today’s technology makes the user experience almost indistinguishable from that of a local desktop. Among the advantages are that updates can be pushed to everyone simultaneously and users can’t save or launch applications on their virtual desktops without permission. This gives IT administrators added control and peace of mind.

  1. Use virtual private networks (VPNs) for remote access

A lot of small businesses employ people in remote locations or hire contractors to enhance flexibility and cut down on cost. Or they may simply permit their employees to connect from home or a coffee shop via their laptops or smart phones. But did you know that most public Wi-Fi services don’t offer any protection over the data that traverses them? The best way to protect yourself is to use a VPN that establishes encrypted remote connections so sensitive data is never at risk. Many commercial services are now available at modest cost, with easy setup.

That wasn’t so difficult, right? Keep in mind that one of the advantages of being a small business is that attackers are mainly focused on the big fish. That doesn’t mean you should be complacent, but if you follow these seven tips, your likelihood of being compromised is very low.

Are IT Professionals Turning a Blind Eye to Password Security?

by , on

blind eye password security

If you are an IT leader, particularly in a mid-sized or small organization, here are some mission-critical data security questions for you to consider.

  • When was the last time you voluntarily submitted to having a security audit focusing on password use in your organization?
  • Have you submitted to a third-party penetration test to assess, among other things, how vulnerable are the passwords currently in use in your organization?
  • How would you rate your visibility into the relative password strengths used by company employees?
  • Have you documented and enforced a formal password policy regarding items such as password complexity and expiration?
  • Does your group lead formal password education seminars for all employees?
  • Have you added additional factors to authenticate users?

If after reading these questions you are shuffling your feet beneath the desk when answering ‘no’ or ‘somewhat’ to these questions, the good news is you aren’t alone. The bad news is that there is a lot you should be doing but are not doing to combat a huge source of data leaks, data theft, and data compromise. In other words, you are turning a blind eye to potentially very costly issues, and blame for such will rightly be cast upon you.

Survey says: Weak passwords far too common

Consider the results of a recent major study that found nearly one in five enterprise users use very weak passwords, or share passwords, making their use ‘easily compromised’ according to survey authors. Businesses with higher than average percentages of compromised passwords also had a higher than average percentage of shared passwords.

Survey authors went a step further, investigating how much time it would take to compromise a password using widely available off-the-shelf cracking hardware/software. For low complexity passwords – those that are enforced only for overall length – most passwords could be compromised in less than one day. Medium complexity passwords – those enforced for length and some measure of complexity such as capitalization or using a digit as the last character – compromise took a week or less. And for high complexity passwords – which amp up the requirement for special characters along with capitalization – cracking could take upwards of a month.

These and other aspects of the survey findings, coupled with widely reported data of the use of compromised passwords to steal sensitive information, should be ample reason for users to adopt optimal password hygiene practices. But the data also shows they simply don’t, for convenience if nothing else. As one blogger and data scientist sees it, perhaps one percent of business users really cares or is aware that passwords are based often on patterns and these patterns can be tracked and broken in too many cases.

The torch is passed to IT leaders

Thus the onus is clearly upon IT leadership to plug this potentially yawning gap in data security. And there is plenty these leaders can and should be doing to pre-empt the pending disasters awaiting businesses that permit the use of weak passwords.

For starters, it almost goes without saying that consideration of a rock-solid password management solution is job 1. There are several available but no two are created equal. Look for a solution that allows your users to quickly and easily create super high-strength, random passwords without having to actually remember them, while giving administrators the ability to enforce password policies and monitor compliance with the policies you set.

What the better of these systems offer is visibility for IT into all passwords in use. After all, as one major password study found, nearly six in 10 SMBs have no visibility into employees’ password practices. What’s worse, in typical SMBs today, 60% of employees use the same password for everything – and they’re often not strong passwords either.

Next, the importance of ongoing education by IT leaders of all business users cannot be overstated. Education is a pathway to empowerment, and in this regard educating users about password hygiene can make each user better understand his or her important role in protecting data and the organization as well. You don’t necessarily need to conduct password-only education. Just be sure when hosting security training sessions online or live that password security is prominently featured.

By now it should almost be a requirement that multi-factor authentication becomes a business standard. The better password management solutions make it easy to deploy multi-factor authentication, the use of which can dramatically reduce the incidence of compromised passwords. Remember you don’t necessarily need to make things totally bullet-proof to keep hackers and cyber criminals away. Just make it hard enough for them to not want to spend extra time to break in.

Conclusion

We’ve written before that password management is more than an IT problem and it is, namely a problem for senior non-IT execs and for business users. But in the scheme of things, particularly in mid-sized and smaller organizations, IT leadership can and should be the biggest and most effective role to protect sensitive data by insuring bullet-proof passwords are the norm, not the exception.

Introducing Keeper’s Emergency Access Feature

by , on

emergency access

Charlotte Gibb remembers the panic that set in when she realized that the death of an employee could also inflict severe damage on her business.

The employee was the operations manager at AutoClerk Inc., a developer of property management software for the hospitality industry where Gibb is executive vice president. “It was shocking. He told us about his lung cancer on Monday and died on Saturday,” Gibb remembers.

The event was a tragedy for the small, closely knit company, but there were business consequences as well. The employee also took with him the password to his Keeper account, where he stored a variety of secure information and logins to services containing company-critical data. “We never had a secure transition plan because we never talked about it,” Gibb said.

If Keeper’s Emergency Access feature had been available at the time, they wouldn’t have needed one. Announced last week, the feature gives up to five trusted family members or friends access to a Keeper user’s secure vault in case of an emergency or tragic event.

Anyone with a Keeper password manager account can use the new feature to add or remove people from Emergency Access, as well as to change the waiting period for access to the vault. The process ensures the highest level of security because, in the spirit of Keeper’s “zero-knowledge” approach to customer security, encryption keys are never shared with Keeper Security or anyone else.

Zero-knowledge is what sent Charlotte Gibb scrambling when her operations manager passed away. She called Keeper tech support but they could offer no help because they were unable to decrypt the operations manager’s passwords. Gibb was fortunate to have access to the man’s email account, which she used to generate a password reset. However, Keeper’s multi-layer security procedures require several security questions to be answered to complete that process. Gibb was eventually able to figure out the answers by calling the man’s partner, but it’s a call she would have rather avoided.

No one likes to think about emergencies or untimely passing, but tragedy rarely strikes when convenient. With Emergency Access, Keeper users can now make their own backup plans without awkwardness or complex procedures. Think of it as accident insurance for your critical data.

Q&A with Keeper’s CTO: What’s New In The Data Threat Environment

by , on

Keeper Q&A with Craig lurey

Keeper co-founder and CTO on the cold hard facts of data security today.

Craig Lurey is co-founder and chief technology officer at Keeper Security. It’s his job to insure that Keeper’s solutions stay a step ahead of the dangers in today’s hyper-dynamic threat environment. Here’s his take on just what is changing, and how Keeper intends to change as well.

Q: What is changing most profoundly in the threat environment?

A: The use of cloud-based services continues to grow dramatically, whether we know we are using them or not. For individuals it’s not just email, for example, but there is the IoT with things like Nest controllers, cars with hundreds of on-board computers, new AI services like Google Home and Amazon Echo – all interconnected and accessed by everyday devices. That makes all these devices targets, and the personal information on them vulnerable to attack.

Q: What about the traditional threats, like malware and viruses?

A: Malware, ransomware and viruses will continue as major threats for the near term. But as services move increasingly to the cloud, big firms like Google, Apple and Microsoft and the thousands of skilled security professionals they employ are doing a much better job of identifying and stopping such threats.

Q: How do the attackers burnish and refresh their skills in this changing world?

A: It’s actually quite interesting. Today there are researchers and students in universities and think tanks being trained in cyber security, identifying changing threat vectors. Then they publish their findings and initiate discussions and online chats to embellish their knowledge. Problem is, the hackers and bad guys are also there, getting all the latest information on the latest threats and weaknesses in defenses! And there are plenty of weaknesses.

Q: What is it about cloud services that can be risky?

A: Remember that cloud services are all about software, and all software – it doesn’t matter who wrote it – has bugs. These bugs have the potential to become vulnerabilities. With many cloud services, who knows what measures were taken in the development process to insure security? Who even asks? Consider Cloudflare, which powers some five and a half million websites. It recently disclosed that a software bug gave hackers the ability to access sensitive data in real-time, including passwords, cookies and tokens to authenticate users. Most likely users of cloud services powered by Cloudflare never even heard of the company but nonetheless could have been victimized by the vulnerability presented by the software bug.

Q: What do these many changes in the threat environment mean for passwords and their management?

A: It is more critical than ever before for individuals as well as businesses to focus on the password. For example when it comes to exploiting weaknesses in cloud services, hackers choose the paths of least resistance. For the most part they aren’t going to sit there and try to decrypt SSL traffic. The easiest attack vector for them is the password. They know individuals use the same ones over and over for different services. So they will attack through some random shopping site, for example, and use various widely available tools to break simple passwords. They aren’t going to target Facebook or Google.

Q: What do businesses need in this regard?

A: They need visibility into password usage throughout their organization. They need to know how individuals are managing passwords, if they are being managed at all. Are they being rotated? Where are they controlled? It all comes down to the same issue, and it is access and who has access.

Q: What is Keeper doing to stay ahead of this dynamic threat environment?

A: We go to extreme lengths to protect our customer’s data, so much so that we don’t have access to it. We are a true zero knowledge product. That means we don’t access or decrypt anyone’s data. So if a hacker happened to get the data stored in a Keeper vault, it would be useless. A zero knowledge environment is the extreme end of data protection. Any encryption or decryption is done solely by the users on their own devices. We are after all protecting our customer’s single most valuable piece of information, namely their passwords.

Q: Without giving away secrets, what can customers expect in the future from Keeper?

A: We are building out a series of products that protect users’ data and their identity, and we’ll be doing that not just with passwords but with other kinds of information as well. In essence we are going to bring our zero knowledge architecture to other product platforms.

Q: Anything else?

A: Yes. The field of DevOps is very rapidly emerging, creating a new category of engineers that not only develop software but also then deploy and manage it through its lifecycle. Our customers will see a migration from pure password management to more privileged access where we still manage the password but also the access to DevOps processes as well. In DevOps the engineers deal with all sorts of functions like access to systems, servers, and cloud services as well as to physical devices. So while we at Keeper are building out and improving upon solutions for business users in marketing, sales, HR and so on, we’ll also focus more in IT teams who are often inundated with securing all these access points. Today there are simply no great solutions out there for them.

Q: Has the near total blurring of the lines between personal and business use of many devices presented particular challenges for organizations, and for Keeper for that matter?

A: Users just expect to intermingle personal and business use, especially on their own devices but even those provided by the employer. We encourage our business users to deploy the Keeper data vault to their business users under a business account. But we strongly advocate for using a separate personal vault on the same device for all personal data. We made multi-account switching really easy and completely seamless. So the business has control only over the business data in the business vault. The individual has complete control over what’s in the personal vault.

Why Keeper Supports the FIDO Alliance

by , on

Why Keeper Supports the FIDO Alliance
IT security experts will tell you that 80% to 90% of breaches could be prevented if organizations enforced stronger password controls. But IT administrators will tell you that convincing people to use strong passwords is a lost cause. No matter how much you educate, cajole and frighten them, a frustratingly large number of people will still safeguard their critical information with “123456.”

That’s why Keeper has joined the FIDO (Fast IDentity Online) Alliance. The FIDO Alliance is working to create technical specifications for an open, scalable, interoperable set of mechanisms that reduce the reliance on passwords. It’s trying to bridge a seemingly contradictory set of objectives. “FIDO is strengthening the authentication process while at the same time making it easier to users,” said Andrew Shikiar, senior director of marketing at the Alliance. “Our goal is to make it easier for enterprises and service providers to move beyond the password.”

FIDO has a unique approach to authentication that uses public key cryptography to create secure authentication credentials that are stored on and never leave the user’s device. Local authentication is important because it both protects user privacy and reduces reliance on passwords stored on third-party servers, which creates an additional vulnerability point. The FIDO Alliance’s approach is in line philosophically with Keeper’s zero-knowledge architecture.

The use of centralized password databases has been behind the damage of some of the world’s largest security breaches. For example, the two attacks on Yahoo collectively exposed more than one billion user accounts to compromise. Cyber criminals can purchase these lists and use them for “credential stuffing,” or testing the login information on other websites. “The success rate for credential stuffing is as high as two percent, which is staggeringly large,” Shikiar said. “FIDO’s approach to strong authentication can take this threat vector away entirely.”

If two percent doesn’t sound like a lot, consider that running one million usernames and passwords through the authentication process of a bank or stock-trading site at a two-percent success rate translates into 20,000 successful accesses.

The FIDO Alliance is promoting two sets of specifications: Universal Authentication Framework (UAF) and Universal Second Factor (U2F). UAF is most typically implemented in mobile apps. No passwords are involved. Users register their device to an online service by selecting a local authentication mechanism such as a fingerprint, PIN or face/voice recognition, at the service provider’s discretion. From there, users simply repeat the local authentication action whenever they log in.

U2F uses a password complemented by a second factor through a FIDO Security Key such as a USB token — proving that the user is in possession of their device. The use of a second factor enables the service to simplify passwords without compromising security.

The FIDO Client-to-Authenticator Protocol, which is currently in review, provides for the use of smartphones or even wearables as a primary authentication device. Coupled with W3C’s Web Authentication efforts (which will bring native FIDO support to leading web browsers), CTAP will expand FIDO’s reach to a much larger number of users as part of the FIDO 2 project.

In the five years of its existence, the FIDO Alliance has rung up a lot of successes, enlisting more than 250 members ranging from IT organizations to mobile app developers, government organizations, platform providers and financial institutions. Facebook rolled out FIDO authentication in January, extending it to 1.7 billion additional users. Google has been a member since 2014.

Keeper believes in the value of standards as a way to continually move the industry forward. The more organizations that sign on to the FIDO Alliance, the faster the industry can solve the password problem and tackle the next set of challenges. We are proud to be part of that effort.

Keeper Announces Microsoft Edge Extension

by , on

Keeper announces Microsoft Edge Extension
LOOK WHAT’S NEW
Hey Windows 10 customers! You’ll be happy to hear that Keeper now has a Microsoft Edge extension. This latest extension will provide you fast and secure access to the Keeper vault right within your browser.

HOW IT WORKS
Now you will be able to utilize Microsoft Edge to quickly and securely login to your favorite online destinations. The extension and Keeper icons appear on the screen as you browse to manage logins, enter passwords and secure your data. The new design also allows the utilization of KeeperFill™ to autofill passwords without navigating away from the current page.

We are so excited to provide millions of Windows 10 users a simple way to manage their passwords from the browser of their choice. The Keeper and Microsoft teams have worked closely together to deliver a “native” feel to the browser that integrates perfectly with your browsing experience.

Microsoft Edge is the faster, safer browser designed for Windows 10. Not only will this latest Keeper extension make your devices and online activity more secure but will also save you time.

WHERE TO GET IT
To download the extension, please visit https://www.microsoft.com/en-us/store/p/keeper-password-manager-digital-vault/9n0mnnslfz1t#.

We look forward to delivering more awesome updates for Windows 10 users in the future. Thank you for your support!

Why Google chose to pre-integrate Keeper SSO Connect into G Suite

by , on

Why Google chose to pre-integrate Keeper SSO Connect into G Suite

We were thrilled last month when Google selected Keeper SSO Connect, our SAML 2.0 service, as one of just nine third-party apps to be included in the search giant’s pre-integrated SSO Apps Catalog. In an earlier post we told you why Keeper and SSO go so well together. Now we’d like to share the reasons why the Keeper solution is unique enough to earn Google’s endorsement.

Even if you’ve never heard of the term SSO (single sign-on), you’ve undoubtedly used it. Whenever you land on a login page that offers you the option of signing in with Facebook, Google, Twitter or other popular social networks as an alternative to creating an account, you’ve seen SSO at work. One example is Fitbit’s login page.

SSO is one of those rare win-win propositions that not only enhances security but also improves the user experience. When used with protocols such as Kerberos and the security assertion markup language (SAML), SSO takes care of most of the complexity of authentication and user identity management in the background.

And SSO isn’t just for public websites; it is also used extensively behind corporate firewalls. For example, companies may use it to make it easier for their employees to log in to multiple corporate accounts, such as email, financial applications, collaboration software and CRM. By deploying SSO, enterprises can greatly reduce the need for people to have to maintain passwords for each application they use. That means fewer helpdesk calls, fewer resets and less risk of compromise due to password theft. Companies can also monitor user SSO activity both to see how applications are being used and also to look for signs of compromise.

One of the most rewarding aspects of the Google endorsement is that Keeper has only been in this market for about six months. Late last year we were approached by one of our customers that wanted to use SSO internally to permit users to authenticate to their Keeper vault. We had a solution ready early in the new year, and it’s been a hit with customers.

There are two big differences between the Keeper SSO solution and most others. One is our ability to store rich information in the vault, including files, sensitive data and access credentials to restricted systems. Our shared password storage capability is useful to enterprise customers because not all applications support SSO. Keeper gives them the flexibility to keep a shared vault of passwords to non-SSO applications in a single, secure place so users can log into whatever systems they need. In another recent blog post we told you about how much some users value encrypted file storage.

The second big Keeper difference is our zero-knowledge security architecture. The customer maintains full control over encryption and decryption of their data. We have no access to the encryption keys, master passwords or records stored within the Keeper vault. This capability has become particularly important to customers in the wake of the OneLogin breach late last month. In that incident, the credentials of potentially millions of individual users were compromised because the encryption keys were kept on a central server. A breach of that kind could never happen with Keeper because we don’t store any sensitive information. That capability lies solely within the hands of the user.

With its decision to include SSO Connect in its third party apps catalog, Google is making it that much easier for customers to implement SSO and SAML. Our own integration is even more extensive. SSO Connect also works with Microsoft’s Active Directory Federation Services and Azure cloud, F5’s BIG-IP Access Policy Manager, Okta’s Identity Cloud, Centrify identity and access management solutions, OneLogin, Ping Identity and the open-source Central Authentication Service.