# Hardware Security Keys on Mobile This guide covers everything you need to know about using a hardware security key with Keeper on iOS and Android. It includes setup instructions, PIN behavior, device compatibility, and how to work through common issues. {% hint style="warning" %} Always make sure you're running the latest version of Keeper before setting up a hardware security key. Older app versions may not support all key types or firmware versions. {% endhint %} ### Supported Hardware Keys #### iOS Keeper works with any FIDO® Certified security key on iOS. For a complete list of certified keys, visit the [FIDO® Certified Showcase](https://fidoalliance.org/fido-certified-showcase/). A few things to know before getting started: * **NFC keys** are supported on most iPhone models. iPads do not support NFC hardware keys. Only keys that plug in directly (via Lightning or USB-C) will work on iPad. * **NFC keys do not work in KeeperFill**, the autofill extension on iOS. See the [NFC Keys and KeeperFill](#nfc-keys-and-keeperfill-on-ios) section below for a workaround. * USB-C keys require **Keeper version 16.12.0 or later**. **iOS Version Compatibility** | **iOS Version** | **Keeper App (Main)** | **Autofill** | | :-------------------: | --------------------- | --------------- | | **iOS 16 or earlier** | ✅ Supported | ❌ Not Supported | | **iOS 17** | ✅ Supported | ✅ Supported | | **iOS 18** | ✅ Supported | ✅ Supported | | **iOS 26+** | ✅ Supported | ✅ Supported | #### Android Keeper supports any FIDO2 certified hardware key on Android. Compatibility may vary depending on the key manufacturer and Google's FIDO library. For a complete list of certified keys, visit the [FIDO® Certified Showcase](https://fidoalliance.org/fido-certified-showcase/). A few things to know before getting started: * Most FIDO2 keys with NFC support will work over NFC on Android. * If you run into issues with a specific key, try registering it over USB instead of NFC, or register it from the Keeper Web Vault and it will sync to your mobile device. *** ### Setting Up a Security Key Before adding a security key on either platform, you need at least one other two-factor authentication method already active on your account. This acts as your backup in case the key is unavailable. {% hint style="info" %} You can register up to 5 security keys on your account. Any one of them will work to log in. {% endhint %} #### On iOS 1. Open the Keeper app and go to **Settings > Two-Factor Authentication**. 2. Tap **Add** next to "Security Keys", then tap **+ Add Key**. 3. Give your key a name and tap **Register**. 4. Follow the on-screen prompt. Either plug your key in or tap it against the back of your iPhone. 5. If your key has a PIN, you will be prompted to enter it. 6. When registration is complete, tap **OK** on the confirmation screen. #### On Android 1. Open the Keeper app and go to **Settings > Two-Factor Authentication**. 2. Tap **Add** next to "Security Keys", then tap **+ Add Key**. 3. Enter a name for your key and tap **Register**. 4. Select **NFC Security key** or **USB Security key** from the list of options. 5. Hold your key flat against the back of your device (for NFC) or insert it into the USB-C port. 6. Keep the key in place until the app confirms registration on screen. {% hint style="warning" %} **Have a YubiKey with firmware 5.7 or newer?** These keys ship with NFC turned off by default. You need to plug the key into a USB port for about 3 seconds before NFC will function. You only need to do this once. See the [Known Issues](#known-issues) section below for full details. {% endhint %} *** ### Login Frequency How often you are asked to use your security key depends on your two-factor authentication frequency setting. * **Every Login:** your key is required every time you open Keeper and log in. * **Every 12 Hours:** your key is required once every 12 hours. * **Every 24 Hours:** your key is required once every 24 hours. * **Every 30 Days:** your key is required once every 30 days. * **Don't ask again on this device:** your key is only required once per device. You can change this at any time in **Settings > Two-Factor Authentication > 2FA Frequency**. {% hint style="info" %} When two-factor authentication is enabled on your account, offline vault access is turned off by default. If you have offline access enabled and then add a security key or other 2FA method, you will see a notice that two-factor authentication will be bypassed during offline login. {% endhint %} *** ### PINs and Hardware Security Keys You can set a PIN on your hardware security key using the manufacturer's software, such as [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/). A PIN adds an extra layer of protection if your key is ever lost or stolen, but it is optional. **On iOS:** If a PIN is set on your key, iOS will ask you to enter it every time the key is used. There is no way to skip the PIN prompt; this is enforced at the iOS system level. **On Android:** PIN behavior can vary depending on your device manufacturer. If you are running into problems during setup or login, try registering the key without a PIN first to rule out PIN-related compatibility issues. {% hint style="warning" %} If you enter the wrong PIN 6 times in a row, your key will lock. You will need to reset it using the manufacturer's software (such as Yubico Authenticator) before it can be used again. {% endhint %} *** ### iPad and Hardware Security Keys Hardware security keys do work on iPad, with one important limitation: no iPad model supports NFC. Only keys that physically connect to your device will work: * Lightning connector keys for older iPad models * USB-C keys for newer iPad models (requires Keeper **16.12.0** or later) Combination keys that support both NFC and plug-in, like the YubiKey 5C NFC, are compatible with iPad via the plug-in connection only. *** ### Known Issues #### NFC Not Working on New YubiKeys (Firmware 5.7+) **Affects:** YubiKeys with firmware 5.7.0 or newer, on both iOS and Android Starting with firmware 5.7, all new NFC-capable YubiKeys ship with NFC intentionally disabled. This is a Yubico security measure called Restricted NFC, designed to prevent tampering while the key is still in packaging. When you tap one of these keys against your phone for the first time, your browser may open to a Yubico setup page (yubico.com/getting-started) instead of completing the registration. This means NFC has not been activated yet. **To activate NFC on a firmware 5.7+ YubiKey:** Plug your key into any USB port (a computer, charger, or USB hub) and leave it connected for about 3 seconds. You only need to do this once, and NFC will work normally from that point on. {% hint style="info" %} Not sure what firmware version your YubiKey is running? Download [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/), plug in your key, and the firmware version will appear on the home screen. {% endhint %} *** #### YubiKey NFC Registration Fails on Android (Error code 28) **Affects:** Android, YubiKey firmware 5.7.1 specifically Some users with a YubiKey running firmware version 5.7.1 see the following error when trying to register the key over NFC on Android: > "Something went wrong with your Security Key, please try again. (Error code 28)" The error typically appears at the very end of the registration process, sometimes right after a screen that says the registration was successful. Keys running firmware 5.4.3 and 5.7.4 register without issue. This appears to be specific to firmware 5.7.1. **Workarounds:** 1. **Register using USB instead.** Connect your YubiKey to your Android device via USB-C and select the plug-in option during registration. Once registered over USB, the key can typically be used over NFC for logins going forward. 2. **Register using the Web Vault.** Log in to your vault from a desktop browser (Chrome or Edge) and add the key from there. Once added to your account, it will be available on your mobile device. 3. **Register a different key first.** If you have access to another YubiKey on firmware 5.4.3 or 5.7.4 or newer, registering that key over NFC first and then retrying your 5.7.1 key has resolved the issue for some users. *** #### NFC Keys and KeeperFill on iOS **Affects:** iOS, NFC hardware keys NFC hardware keys do not work with the KeeperFill autofill extension on iOS. This is a system-level limitation. iOS does not allow third-party extensions to initiate NFC key interactions. **Workaround:** Enable **Stay Logged In** in the Keeper app settings. With this on, your session stays active and KeeperFill can fill your credentials without needing to re-authenticate with your hardware key each time. *** #### Long-Tap Autofill and Hardware Security Keys on iOS **Affects:** iOS 18 and later iOS 18 introduced a long-tap autofill feature that lets you fill saved credentials into apps and websites directly from your password manager. When your Keeper account is protected by a hardware security key, this flow will not complete as expected. The system needs to interact with the hardware key, which is not compatible with how long-tap autofill works. **Workaround:** 1. Enable **Stay Logged In** in the Keeper app settings. 2. Log in to the main Keeper app on your device first. 3. You can then use the long-tap autofill feature as normal. *** #### YubiKey FIDO PIN Loop on iOS **Affects:** iOS 18.1 and iPadOS 18.1, resolved in iOS 18.2 Users on iOS or iPadOS 18.1 with a YubiKey running firmware 5.7 could get stuck in a PIN loop. The key would accept the PIN and then immediately ask for it again, preventing login from completing. Apple resolved this issue in iOS 18.2 and iPadOS 18.2. Update your device via **Settings > General > Software Update** to resolve this. If you continue to experience issues after updating, try removing your security key from your account and re-registering it. For additional details, visit [Yubico's support page](https://support.yubico.com/hc/en-us/articles/16726447752732). *** ### Helpful Links * Check your YubiKey firmware version: [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/) * Full list of FIDO Certified keys: [FIDO® Certified Showcase](https://fidoalliance.org/fido-certified-showcase/) * Contact Keeper support: [keepersecurity.com/support.html](https://www.keepersecurity.com/support.html) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://newdocs.keeper.io/en/user-guides/troubleshooting/hardware-security-keys-on-mobile.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.