Skip to content
MSP Security

Keeper vs N-able Passportal for MSPs: Client Vaults, Shared 2FA, and Outage Math

Scopable Team19 min read
Keeper vs N-able Passportal for MSPs: Client Vaults, Shared 2FA, and Outage Math

Password vault decisions get ugly when the demo ends and a technician is staring at a client firewall login during an outage.

That is the real Keeper vs N-able Passportal decision for MSPs. Not which product has the prettier vault. Not which sales deck says security the loudest. The decision is how each tool behaves when your team has 40 clients, shared admin accounts, shared 2FA, staff turnover, browser extensions, remote sessions, and a client asking who can prove what happened last Friday.

Keeper is stronger when you want a security-first vault architecture with strict managed company isolation, shared folders, account transfer, offline access, and a broad platform story around password management and privileged access. N-able Passportal is stronger when your MSP already lives in N-able and wants credential rotation, AD and Entra ID sync behavior, client-level reporting, and Site-style client password sharing inside the N-able operating model.

Neither tool fixes sloppy vault hygiene. If technicians still share personal MFA seeds, keep client break-glass credentials in notes, or forget to rotate passwords after offboarding, the vendor choice only makes the mess more expensive.

Quick answer: Keeper vs N-able Passportal for MSPs

Keeper is usually the better fit for MSPs that want stricter managed company isolation, stronger offline vault options, modern shared-folder workflows, and a broader security platform. N-able Passportal is usually the better fit for N-able-aligned MSPs that want password rotation, AD and Entra ID sync, client audit reports, and Site password sharing tied to their existing N-able workflow.

The safer answer is not "which vault is better?" It is "which vault can your MSP govern every week without exceptions?"

What you are actually comparing

A password vault for an MSP is not a password vault for a normal business.

A normal business mostly asks, "Can my employees store and share passwords safely?" An MSP has nastier questions:

  1. Can we keep every client vault isolated?
  2. Can technicians access what they need without seeing everything?
  3. Can we share 2FA safely without turning one phone into company infrastructure?
  4. Can we prove who viewed, edited, copied, rotated, or exported credentials?
  5. Can we keep working if the vault, IdP, browser extension, or internet connection is having a bad day?
  6. Can we offboard a technician without spending the next week wondering what they still know?
  7. Can the client access what belongs to them without seeing MSP-only notes?

That is why this comparison has to be MSP-specific. Keeper and N-able Passportal both handle password storage. The difference is how each product maps to the operating model around client access, emergency access, audit evidence, and service agreements.

If you are turning this decision into client-facing scope, join Scopable early access. The important part is not the vault SKU. It is the agreement language that says who owns vault hygiene, rotation, client access, break-glass testing, and evidence collection.

Side-by-side comparison

MSP workflowKeeperN-able PassportalPractical MSP takeaway
Client vault separationKeeper MSP docs describe strict managed company isolation at the logical and encryption layer, with MSP technicians launching into managed company instances. Keeper MSP fundamentalsPassportal organizes credentials by clients and supports client-level folders, Site users, reports, and AD or Entra ID sync behavior. N-able AD and Entra ID integrationKeeper leans harder on isolated managed company architecture. Passportal fits client-based N-able operations.
Technician accessKeeper uses MSP-level roles, managed company launch, teams, shared folders, and enforcement policies.Passportal uses clients, folders, security groups, advanced options like hiding unassigned clients and folders, and temporary access duration settings. N-able advanced optionsBoth can restrict access, but the admin model feels different. Test the exact technician roles, not a generic admin demo.
Shared 2FAKeeper's Security Audit tracks user-level 2FA status, and vault records can store shared secrets where your policy allows it. Keeper Security AuditPassportal's N-able SSO flow uses 2FA, and SSO migration has users set up MFA during account activation. N-able SSO migrationShared 2FA is mostly a policy problem. Decide which client systems can use shared TOTP and which require named accounts.
Offline accessKeeper supports offline vault access on web, desktop, iOS, and Android when enabled by policy, with 30, 14, 7, 1 day, or off options. Keeper offline accessN-able added Offline and Backup Mode for the Passportal mobile app in the July 2025 release notes. N-able Passportal July 2025 releaseKeeper has broader documented offline coverage. Passportal has mobile offline support, so test desktop and emergency use cases carefully.
Password rotationKeeper supports security audit, BreachWatch add-ons, policies, and broader vault governance.Passportal has explicit global, client-level, and credential-level rotation settings. N-able credential rotationPassportal is the more obvious pick if AD-linked rotation is central to the workflow.
Browser behaviorKeeper has browser, desktop, mobile, and app fill options, including KeeperFill for Apps in remote sessions. Keeper MSP fundamentalsN-able's January 2025 release added global browser extension timeout and session length controls. July 2025 notes mention improved browser plugin field detection. N-able January 2025 releaseBrowser extensions are where policies die. Test timeout, copy, autofill, and remote session behavior with real techs.
Audit logs and reportsKeeper Advanced Reporting and Alerts covers user-level and admin-level events, with MSP-specific operations. Keeper MSP fundamentalsPassportal reports include logins, client audit logs, password complexity, unchanged passwords, changed passwords, and password actions by user. N-able reports and auditsBoth have audit stories. The winner is whichever can answer your client's insurance and incident questions fastest.
Client resale and co-managed accessKeeper MSP supports managed companies, consumption billing, license allocation, shared folders, and client privacy boundaries.Passportal Site is positioned for branded Password Security as a Service and sharing approved passwords between MSPs and clients. N-able AD and Entra ID integrationKeeper feels like a broader sell-through security platform. Passportal feels more natural for N-able shops already packaging client password services.
Break-glass accessKeeper Account Transfer can recover records from a departed user's vault, with MSP and managed company setup details. Keeper MSP fundamentalsPassportal's organization key is critical. N-able says it is not stored in the system, and resetting it makes stored passwords irretrievable. N-able login documentationBreak-glass is not optional. Document who holds recovery paths and test them before an emergency.
Outage planningKeeper documents a public status page with component-level status and historical uptime views. Keeper statusN-able has product status and Passportal release notes under its status site. N-able Passportal status categoryTreat the vault as a dependency in your incident plan, not just another SaaS app.

Where Keeper is stronger

Keeper is the better fit when the client boundary matters more than the vendor stack.

Keeper's MSP model starts with managed companies. The documentation says each managed company is isolated at both the logical and encryption layer, with client data separated by key architecture. MSP technicians can launch into managed company instances for administrative work, but the client environment is still its own space.

That matters for MSPs with regulated clients, co-managed clients, or clients that ask uncomfortable but fair questions: "Can another client see my records?" "Can your junior technician see our domain admin password?" "What happens if your technician leaves?"

Keeper also has strong documentation around zero-knowledge design. Its encryption model says record data is encrypted locally with client-side generated 256-bit AES keys, and each vault record has its own record key. For an MSP, the point is not to memorize the crypto. The point is that Keeper's security story is built around minimizing who can see vault contents, including the vendor.

The offline story is also stronger on paper. Keeper documents offline access for web, desktop, iOS, and Android, controlled by administrator policy with duration options. It also calls out an uncomfortable detail: if 2FA is enabled, offline vault access can bypass 2FA, and users are warned about that. Good. That is exactly the kind of tradeoff MSPs need to write into policy instead of pretending it does not exist.

Keeper's break-glass story is cleaner too. Account Transfer can recover records from a departed user's vault, and Keeper recommends configuring it at both the MSP and managed company level. That does not mean you can skip offboarding. It means the product has a named mechanism for a problem every MSP eventually faces.

Pick Keeper when you want:

  • Stronger managed company separation
  • Broader offline access documentation
  • Account transfer for departed users
  • Shared folders and team-based vault design
  • A broader security platform path beyond simple password storage
  • A security architecture your compliance-minded clients can understand

The tradeoff is process. Keeper gives you plenty of control. That means you still have to design the folder model, role model, client handoff process, shared 2FA rules, and break-glass tests. If you do not, you just built a nicer junk drawer.

Where N-able Passportal is stronger

Passportal is stronger when your MSP wants the password vault to behave like part of the N-able operating stack.

The clearest Passportal advantage is rotation and sync. N-able's documentation says credential rotation can be set globally, per client, and per credential. Its AD and Entra ID integration docs say the Windows Agent can sync and manage Active Directory credentials in Passportal, with sync every 45 seconds once enabled. The same docs describe Microsoft Sync options for Active Directory, Entra ID, or both, plus sync behaviors like one-way, AD to Passportal, Passportal to AD, and two-way sync.

That is a very MSP-shaped workflow. It is not just "store the password." It is "keep the password aligned with the directory account, rotate it on a schedule, and make the record usable by the technician who needs it."

Passportal also has a practical reporting surface. N-able's reports and audits page lists reports for Passportal logins, client audit logs, password actions by user, passwords known by user, password complexity, unchanged passwords, changed passwords, and exported password values. The client audit log specifically records which client the action happened in, the credential type, description, username, user, date, and action description.

That is the boring evidence clients ask for after something goes wrong. Boring is good here.

Passportal's browser extension controls are worth noticing too. The January 2025 release notes say admins can set global browser extension inactivity timeout and max session length and force the policy across users. The July 2025 notes mention improved browser plugin detection for username and password fields. Those are not glamorous features, but they hit the exact place where technicians cut corners.

Pick Passportal when you want:

  • AD and Entra ID credential sync
  • Global, client-level, and credential-level rotation settings
  • N-able SSO alignment
  • Client audit reports that match MSP workflows
  • Site-style client password sharing for co-managed IT
  • Browser extension session controls across users

The tradeoff is dependency shape. If you are already in N-able, Passportal may reduce vendor sprawl. If you are not, the N-able fit may matter less than Keeper's broader vault architecture.

Shared 2FA is the dangerous middle

Shared 2FA is where MSP password policies usually get hand-wavy. That is bad. Hand-wavy becomes billable pain after a breach, audit, or account lockout.

CISA's consumer guidance is simple: use a password manager for long, random, unique passwords, and turn on MFA because a stolen password alone should not be enough to access an account. CISA password guidance CISA MFA guidance

MSPs have a harder version of that problem. Some client systems still use one shared admin account. Some vendors do not support named admin users well. Some remote access and firewall workflows still get weird when every technician needs an individual identity. Nobody likes admitting that, but pretending all shared admin accounts can vanish next quarter is not a plan.

So write the rule down.

Shared TOTP should be allowed only when all of these are true:

  • The system cannot reasonably support named admin accounts
  • The credential is stored in the approved vault
  • Access is restricted to a named technician group
  • Viewing or copying the secret is logged
  • Rotation is required after technician offboarding or role change
  • The client accepts the risk in the service agreement
  • A migration path to named accounts exists where the platform supports it

Keeper and Passportal can both help store and govern shared secrets. Neither can decide which client systems deserve an exception. That is your operating policy.

Browser extensions, remote sessions, and technician behavior

The vault is only as good as the moment a tech uses it.

A browser extension that stays logged in all day on a shared jump box is a problem. A remote session where autofill misses the field and the tech copies a password into the clipboard is a problem. A client admin portal that requires a shared TOTP code at 1:00 a.m. is a problem. A former employee who still remembers a firewall password because it was never rotated is a very expensive problem.

Keeper's documentation calls out KeeperFill for Apps for native applications and remote sessions. Passportal's release notes call out browser extension timeout controls and improved field detection. Those are useful, but this is where you need a real pilot.

Do not pilot the vault with five perfect SaaS logins. Pilot it with:

  1. A firewall admin login
  2. A Microsoft 365 break-glass account
  3. A remote control session into a server
  4. A shared vendor portal account with TOTP
  5. A terminated technician offboarding scenario
  6. A client handoff where the client keeps ownership
  7. A bad internet day

If the workflow gets weird there, it will get weird in production.

Audit logs: insurance evidence, not vanity reporting

Audit logs are not there so someone can admire a dashboard. They are there so you can answer ugly questions quickly.

Questions like:

  • Who accessed the client's password before the outage?
  • Was the credential changed after the technician left?
  • Which users know this password?
  • Did anyone export credentials?
  • Which credentials have not changed since last quarter?
  • Did the client have access to the record?
  • Was MFA enabled for the vault user?

Keeper's Advanced Reporting and Alerts module covers user-level and admin-level activity, with MSP-specific operations. Keeper Security Audit also reports password strength, unique record passwords, and 2FA status. Passportal's reports are more explicitly organized around MSP audit tasks: logins, client audit logs, password complexity, unchanged passwords, changed passwords, and user-level credential actions.

The winner depends on the report you need to hand to a client, insurer, or attorney. Before choosing, ask each vendor to show the exact export for a real scenario:

"Show us every action on Client A's firewall credential over the last 90 days, including view, edit, rotation, copy, export, and user identity."

If the answer takes a support ticket and a prayer, keep looking.

Outage math: what happens when the vault is down?

Password vault outages are not theoretical. They are operational math.

If your vault is unavailable for two hours and six technicians are working active tickets, how many client systems become unreachable? Which tickets wait? Which clients have alternate access? Which break-glass credentials exist outside the normal vault? Who can use them? How is that access logged after the fact?

Keeper's public status page gives component-level visibility across regions and services, including web vault, admin console, infrastructure, browser extensions, and client applications. N-able maintains status and Passportal release information through its own status site. That is useful, but a status page is not an outage plan.

Your outage plan should define:

  • Which credentials are eligible for offline access
  • Which devices are allowed to hold offline vault data
  • How long offline access can remain available
  • Whether offline access bypasses normal MFA checks
  • Who holds the Passportal organization key, if using Passportal
  • Who can approve break-glass access
  • How emergency access gets logged after the system recovers
  • Which client systems require direct named fallback accounts
  • Which clients have accepted or rejected emergency access terms

Keeper's offline model gives you more documented options across device types. Passportal's organization key model creates a different planning requirement because N-able says the key is not stored by the system and a reset makes stored passwords irretrievable. That is not a small footnote. It is a business continuity requirement.

Service agreement language matters more than the vault demo

The biggest mistake is treating vault choice as an internal tools decision only.

Clients should know what the MSP owns, what the client owns, and what happens when the weird stuff happens. This belongs in the MSA, SLA, SOW, or security addendum. If you need templates for that structure, read the MSP SLA client obligations guide, the MSP scope of work template, and the shared responsibility matrix template.

At minimum, define:

1. Vault hygiene

Say who creates records, who names them, who tags them, who reviews stale records, and who archives dead credentials. "Use the vault" is not enough.

2. Technician access

Say which MSP roles can access which client credential categories. Separate everyday service desk access from network admin access, domain admin access, and break-glass access.

3. Shared 2FA

Say when shared TOTP is allowed, when named accounts are required, who approves exceptions, and when exceptions expire.

4. Rotation

Say which credentials rotate automatically, which rotate manually, which rotate after offboarding, and which require client maintenance windows.

5. Client access

Say which credentials the client can see, which belong to the MSP, and what happens when the client terminates service.

6. Emergency access

Say who can approve emergency use, where emergency records live, how offline access works, and how evidence is reconciled afterward.

7. Audit evidence

Say which reports are provided on request, what cadence is included, and which requests are billable. Evidence work takes time. Pretending it is free creates resentment later.

Scopable does not pick the password vault for you. It helps MSPs turn messy operational decisions into scoped service agreements, roadmap items, budget conversations, and quotes. If vault cleanup becomes part of a client security roadmap, join Scopable early access and stop burying the work in free advice.

The decision rule I would use

Pick Keeper if your MSP cares most about managed company isolation, zero-knowledge architecture, broader offline access, account transfer, and a platform path that can grow into privileged access and secrets management.

Pick N-able Passportal if your MSP cares most about AD and Entra ID credential sync, explicit password rotation settings, client-level audit reports, browser extension policy controls, and staying inside an N-able-heavy operating model.

Then run the boring test:

  • Can a junior technician get only the credentials they need?
  • Can a senior technician work during an IdP outage?
  • Can the client access what belongs to them?
  • Can you rotate credentials after offboarding without panic?
  • Can you prove who touched a password during an incident?
  • Can you explain shared 2FA exceptions without sounding sketchy?

If the answer is no, the product is not ready. Or more likely, your process is not ready.

FAQ

Which is better for MSPs, Keeper or N-able Passportal?

Keeper is usually better for MSPs that prioritize managed company isolation, offline access, account transfer, and a broader security platform. N-able Passportal is usually better for N-able-aligned MSPs that want AD or Entra ID sync, password rotation, and client-level audit reports.

Can Keeper and Passportal handle shared 2FA for client accounts?

Both can support shared secret workflows, but shared 2FA should be treated as an exception, not the default. Use named admin accounts wherever possible. If shared TOTP is unavoidable, document who can access it, when it must rotate, and how the client accepts the risk.

Which vault has better offline access?

Keeper has broader documented offline access across web, desktop, iOS, and Android, controlled by administrator policy. Passportal added Offline and Backup Mode for its mobile app in 2025. MSPs should test their own emergency scenarios before relying on either claim.

What should MSPs do if the password vault is down?

Write an outage plan before the outage. Define which credentials are available offline, which devices can store them, who can approve break-glass access, how access is logged afterward, and which clients require direct fallback accounts.

Should vault hygiene be in the MSP service agreement?

Yes. The agreement should define vault ownership, technician access, shared 2FA exceptions, rotation cadence, client access, emergency access, and audit evidence. Otherwise the MSP inherits assumptions the client never paid for.

Final take

Keeper and N-able Passportal are both credible MSP password vault options. The wrong answer is choosing one because a demo looked clean.

Keeper is the better fit when isolation, offline access, account transfer, and security architecture drive the decision. Passportal is the better fit when rotation, AD and Entra ID sync, client audit reporting, and N-able stack fit drive the decision.

But the tool is only half the work. The other half is governance: who gets access, what gets shared, what rotates, what gets logged, and what the client agreed to pay for. Skip that part and your vault becomes a liability with a nicer login screen.

Related Reading

Frequently Asked Questions

Ready to stop guessing?

Scopable automates quoting, roadmaps, and QBRs for MSPs. Join the alpha and help shape the platform you actually want.

Quote Your Next Project In Minutes

Get MSP insights weekly

No spam. Unsubscribe anytime.