The protection of your data is our highest priority. We have followed, and improved upon, industry best practices to ensure the security and privacy of your data.
Your passwords are encrypted with your own secret key
Each user creates his or her own Master Password known only to them. Master Passwords are never stored on our servers, and absolutely nobody except the account holder can access RoboForm data stored in it.
Company owned RoboForm data is managed by company admins. Company admins can allow employees to reset their forgotten Master Passwords and also enforce policies on their Master Passwords minimal complexity and mandatory rotation time for all employees.
RoboForm policies can integrate employees Master Passwords with their Active Directory account.
End to end encryption
All RoboForm data is encrypted at all stages using AES256 bit encryption with PBKDF2 SHA256, 4096 iterations.
Company owned RoboForm data can be securely shared with other employees using public-private key cryptography. This ensures that your employees can only access RoboForm data assigned to them while using their own Master Password and with the permission levels company admins sets for them.
This means that your employees don't ever need to know or see the actual passwords.
Reports on access, usage, and security levels
Admins can generate reports based on RoboForm data access and usage for each employee or sharing group.
Security Score is an individual user’s overall password health score. Security reports will show the security score for each employee or sharing group. These security scores can be evaluated by company admins based on the minimal security level set and assigned at the company or group level.
Account holders can be encouraged to improve their security scores based on recommendations and best practices.
Additional layer of protection for your data
A second authentication step is enforced with policies and delivered to employees in the form of a one-time password (OTP) sent via email or SMS, or via TOTP based two-factor authentication (2FA). Once enabled, employees will be required to enter the OTP when they access their accounts from a new device or network.
Failure to pass the second step will result in automatic account blocking. Blocked accounts can only be unblocked by company admins.