r/KeeperSecurity

is there any news concerning the addon to commander for MSP migration?
6 month ago KeeperCraig wrote:

>Hi guys, we are are few days away from having the automated managed company transfer process ready. This will allow an MSP to take over an account based on mutual authentication and acceptance of the transfer. You'll be able to use Keeper Commander to make it happen. Please hold off on any manual transfers until this goes live!

We really got to move some vault and would prefer not doing it the complicated way. Any update on this?

Thanks

I’ve been auditing my security setup and decided to properly migrate away from storing TOTP codes in my password manager (Keeper).

Having credentials and OTP in the same vault defeats the point of MFA, so I’ve built a tiered migration plan across ~230 accounts.

Hardware - each key held in a separate location setup and rotated around when required to add keys to see ices.
•2x YubiKey 5 (black) — FIDO2 + TOTP (32 slots each)
•1x YubiKey Security Key (blue) — FIDO2 only, no TOTP

The tiers
Tier 1 — Passkey/FIDO2 (unlimited, all 3 keys)
Any service supporting FIDO2 or passkeys gets all 3 keys registered. No slot cost, phishing-resistant, domain-bound. ~35 services including Microsoft, Google, Apple, Amazon, PayPal, eBay, Adobe, Atlassian, Xero, GOV.UK.

Tier 2 — YubiKey TOTP (32 slots, black keys only)
Highest value TOTP-only accounts. Banking, NS&I, mobile carriers, energy, hosting/infrastructure, HR systems. Slots ranked Critical→Low so the least critical can be evicted to Tier 3 if a higher value service needs a slot.

Tier 3 — Authenticator app
Lower value TOTP accounts. OTP still separated from Keeper, just not hardware-backed.

Tier 4 — Password only
No MFA available. Strong unique password in Keeper.

The sliding scale logic
32 slots is a hard ceiling. If a new high-value TOTP service appears, the lowest Tier 2 entry gets evicted to Tier 3.

If any Tier 2 service adds passkey support, it gets promoted to Tier 1 and frees a slot — pulling the top Tier 3 entry up.

Questions for the community

1. Any services I might have missed that support passkeys that aren’t obvious? I need to cross reference more on 2fa.directory to be sure.
2. Is there a better approach to the 32-slot ceiling than the sliding scale eviction model?

Comments welcome!

I'm locked out of my master account and the email associated with it.

The email password is in the vault, and I forgot the password for the vault.

How do I get to the point where I can use the recovery phrase without access to the email address on file for my account? Why did I keep this recovery key in my safe for 5+ years if it's useless?

Is there a way to achieve this for credentials stored in Keeper?

Thanks 🙏

Hi everyone,

In my company I’m deploying Keeper, In BreachWatch, it would be useful to know whether a password needs changing because it has appeared in a data breach or because it is weak. Have you ever considered this idea?

I've been a 6 year Bitwarden Premium customer and have been using Keeper 2 year subscription with expiration on 07/2027.

I'm currently using Keeper on a 2025 MPB non Beta MacOs or 26.4.1. I've got fingerprint set up for sign in but that only works sometimes.

Before you mention my time out for the desktop app which is 32767 minutes tor max time that can be set which is a total fail since I have to re-sign in daily no matter whether the machine sleeps, or is turned off. Since I'm using Safari, the extension is also set to the same security level and also fails to stay active for those minutes settings.

Comparison for this feature regardless of your's or mine preference is that Keeper requires constant password input when Biometric authentication for the desktop app does not work. At least I can count on BW for the 26 character master password to copy and paste into Keeper numerous times a day/week for Keeper to be accessible.

Don't have that problem with BW and never have; If I set it up to NEVER timeout then that's what it does, or one of the other 10 CHOICES to timeout, it acts within those parameters.

I'm no CyberSecurity expert and like what Keeper brings to the table but as a general population user who may use Keeper on Windows, Mac, iOS, or Linux but primarily on Mac the structure leaves a lot to be desired.

On a security point, I appreciate BW choices in allowing the user to change their Encryption Key settings which no other PWM which I've found allows. Not only is the user given two choices to change the Algorithm, they're given choices to change the FDF iterations, choices to change KDF memory in MB and KDF parallelism.

I'll continue to use my Keeper subscription because it's my back up but for ease of use, cost, various +cost additions, regardless of it's top of the line certifications; unless the miss-handled security settings start to toe-the-line, I can't see renewing this subscription.

Needless to say, it's gotten to the point where I just don't re-authenticate on my Mac since Keeper does not work the way it's intended. On another positive note, Keeper security settings for iOS "Do Not" have the same hit and miss failures.

I'm experiencing this in Chrome and Edge on Windows 11. It started Thursday evening. The Chrome extension is working so that's what I'm using for now. I've restarted my browsers. I have colleagues who are experiencing this but others are fine.

https://reddit.com/link/1t7abjg/video/kkfee6degxzg1/player