Skip to content
Watch Demo Recording: Control AI Agent Access, Actions, and Secrets at Runtime
Play Demo
Start Free Sign in
Get a Demo
Back
  1. Home
  2. Resources
  3. Blog
  4. Introducing Akeyless Password Manager 2.0: Workforce Passwords, Engineered for the Enterprise

Introducing Akeyless Password Manager 2.0: Workforce Passwords, Engineered for the Enterprise

May 4, 2026
Posted by Refael Angel

Today we’re announcing the general availability of Akeyless Password Manager 2.0, a workforce password manager built on the security architecture that enterprises already trust for their most sensitive secrets, keys, and machine identities.

Most password managers were designed for consumers and retrofitted for enterprises. The result is a familiar pattern: a beautiful browser extension on the front end, and a set of architectural and governance compromises waiting to be discovered during a compliance audit or a security review.

Akeyless Password Manager 2.0 starts from the other direction. It is the workforce-facing layer of the Akeyless Identity Security Platform — the same platform that already protects credentials, keys, certificates, and privileged access for security-first enterprises across financial services, healthcare, technology, and regulated industries. Passwords are now a first-class citizen of that platform, with the enterprise posture that comes with it.

Here’s what’s new, what’s different, and why it matters.

What’s New in 2.0

The 2.0 release is available today in the Chrome Web Store, Microsoft Edge Add-ons, Mozilla Firefox Add-ons, and the Apple Safari extension gallery. Alongside the browser extensions, native mobile applications for iOS and Android ship with full parity on the features that matter most.

Secrets and credentials. Store and manage website passwords with notes and URLs. Akeyless is the only major password manager that natively handles static, dynamic, and rotated secrets alongside traditional credentials, so a row in your vault can be a website password today, and an auto-rotating database credential tomorrow, without changing tools. Passkeys are a first-class object: users can create, store, and sign in with passkeys on any supported site. Folders keep everything organized, with a clean separation between personal and corporate items.

Security and access. Authentication runs through the customer’s identity provider: SAML, OIDC, Google, GitHub, or Akeyless Access Key / Alias. MFA is enforced at the IdP, so the organization keeps a single MFA policy for all applications instead of maintaining a parallel one inside the password manager. Secure sharing between users is governed by Akeyless RBAC and ABAC policies, with full audit and instant revocation. For Zero-Knowledge deployments, the Customer Fragment stays inside the customer environment; Akeyless itself never sees readable plaintext.

Productivity. Autofill injects credentials into detected fields with logic to skip decoy and hidden fields. Passkey autofill makes passwordless sign-in seamless on supported sites. Favorites pin frequently used items for quick access. Search and filtering by name, type, or favorites work across the whole vault. OTP and TOTP codes are displayed inline from stored otpauth secrets, no separate authenticator app required for the codes already in your vault.

User experience. When the extension is distributed via the organization’s distribution link, two things change for end users. First, sign-in is pre-configured: users don’t know or enter the authentication method or Access ID. They click Sign In and are redirected straight to the configured identity provider. Second, the extension reflects the organization’s custom branding: logo, color scheme, and custom links for Privacy Policy and Contact Support.

Why Enterprises Need More Than a Pretty Vault

A vault without rotation is just a digital post-it. Storing passwords securely does not help if those passwords never change. Sharing items through a “shared folder” is fine for a marketing team’s Instagram password. It is not fine for credentials that govern access to customer data or financial systems.

This is where most consumer-first password managers stop, and where enterprise security teams start having to explain workarounds to their auditors.

Akeyless Password Manager 2.0 is built to make those conversations easier:

Credentials that rotate themselves. Rotated secrets change on a schedule or on demand, with Akeyless automatically updating the underlying system — database, cloud account, Active Directory, service account. The new value is propagated to everyone who has access; no coordinated “please change your password by Friday” email required. Dynamic secrets take this further: short-lived, per-session credentials that expire automatically after minutes or hours, eliminating standing access entirely.

Governance beyond shared folders. Akeyless role-based access control uses six granular permission types (List, Read, Create, Update, Delete, Deny) scoped to items, folders, or wildcard paths. Attribute-based access control, implemented via sub-claims, layers context on top: deny access outside business hours, outside the corporate VPN, or from unmanaged devices. Deny rules override Allow rules, which means tight controls stay tight even as new roles are created.

Audit that actually satisfies auditors. Every read, write, rotate, share, and administrative action generates a tamper-evident audit log entry at the item level, not the vault level. Logs stream in real time to any SIEM: Splunk, Datadog, Sumo Logic, Elastic, Logz.io, or an S3 bucket of your choice. The Akeyless Event Center layers real-time alerting on top, forwarding high-signal events to ServiceNow, Slack, Microsoft Teams, email, or webhooks. When an auditor asks, “Who accessed the production admin password last Tuesday?” the answer is two clicks away.

SSO included at every tier. The “SSO tax” that has quietly forced smaller teams onto downgraded plans elsewhere does not exist at Akeyless. SAML, OIDC, Google, and GitHub sign-in are included in every subscription tier. Automated provisioning via SCIM 2.0 is standard.

Zero-Knowledge Is a Mathematical Property, not a Marketing Term

Everything above would be table stakes for a well-designed enterprise password manager. What makes Akeyless Password Manager 2.0 structurally different is the cryptography underneath it.

Akeyless is built on patented Distributed Fragments Cryptography™ (DFC™). DFC does not split a pre-existing key into pieces. Instead, at the moment of key creation, multiple independent fragments are generated simultaneously in different locations, including separate cloud regions and, crucially, the customer’s own environment. Together these fragments mathematically represent the key; the key itself is never assembled in any single place at any point in its lifecycle.

Three properties of DFC make the Zero-Knowledge guarantee real, not aspirational:

  1. The key is never assembled. Not at creation, not at rest, not during cryptographic operations. Conventional split-key systems bring fragments together at the moment of use, and that window is exactly what attackers target. DFC eliminates it entirely. Cryptographic operations run as a distributed computation across fragments; fragments never meet.
  2. All-or-nothing threshold. DFC is not a “3-of-5” secret-sharing scheme. An attacker who obtains some but not all current fragments learns nothing about the key — not a bit, not a bias, not a hint. Only a simultaneous capture of every fragment reveals anything at all.
  3. Continuous fragment refresh. Fragments are continuously regenerated while the master key stays constant. A stolen fragment from last week becomes cryptographically irrelevant today. Harvest-now-decrypt-later attacks have nothing to harvest.

The Customer Fragment is generated and held exclusively within the customer’s network, typically on an Akeyless Gateway deployed on-premises or inside a customer-owned VPC. Without it, no cryptographic operation can succeed. Akeyless, from its SaaS platform, can orchestrate the operation, but it can never assemble a full key because no full key ever existed to assemble.

What this means in practice:

  • Akeyless cannot read your passwords. Not because we promise not to; because we mathematically cannot.
  • Legal-compulsion scenarios are structurally defused. CLOUD Act, MLATs, foreign subpoenas: Akeyless can only disclose what it possesses. It does not possess your plaintext.
  • Data residency is satisfied structurally. Plaintext only materializes inside the customer-hosted Gateway. You choose the region. Residency becomes a deployment decision, not a contract negotiation.
  • Post-quantum readiness today. Hybrid TLS 1.3 with ML-KEM768 protects data in transit. Full support for the FIPS-standardized PQC algorithms (FIPS 203 / 204 / 205) is on the H1 2026 roadmap.

The cryptography is validated, not merely claimed: the Akeyless FIPS Cryptographic Module is FIPS 140-3 validated (NIST CMVP Certificate #5227) — the current NIST standard, which replaced FIPS 140-2. The certificate is active through July 10, 2029.

The Platform Underneath

One of the real costs of running a modern security program is tool sprawl. Secrets management in one vendor. PAM in another. Certificate lifecycle management somewhere else. Password management off to the side. Each with its own audit stream, its own RBAC model, its own integration surface, its own operational playbook, and its own renewal cycle.

Akeyless Password Manager 2.0 is not a standalone product. It is the workforce-facing layer of a single platform that also delivers:

  • Secrets Management — static, dynamic, and rotated secrets for applications and workloads
  • Certificate Lifecycle Management — TLS, SSH, code signing, PKI, ACME
  • Encryption & Key Management — FIPS 140-3 Level 3 HSM-backed keys, KMIP, PKCS #11, BYOK for AWS / Azure / GCP / Salesforce
  • Secure Remote Access (PAM 3.0) — just-in-time, Zero Standing Privileges for humans, machines, and AI agents

One policy model. One audit trail. One integration surface. One vendor relationship.

For teams already running Akeyless for secrets or certificate management, rolling out Password Manager 2.0 to the workforce is a configuration exercise, not a new procurement. For teams starting fresh, it’s a path to consolidate several categories of security tooling under a single governance model.

Enterprise Posture out of the Box

No vendor check, no security review, no compliance questionnaire should come back with surprises.

  • SOC 2 Type II (annual external attestation)
  • ISO 27001:2013 (annual audit by PwC)
  • PCI DSS (all 12 requirements)
  • FIPS 140-3 (NIST CMVP Certificate #5227 — the current NIST cryptographic module standard)
  • GDPR / CCPA / HIPAA / DORA aligned; public DPA; SCCs where required
  • 99.99% availability SLA, service-credit backed, publicly verifiable at status.akeyless.io
  • RPO 5 minutes, RTO 1 hour, multi-region multi-cloud active-active
  • Zero-downtime upgrades — no maintenance windows

And the things that should be free, are free: integrations with every major IdP, SIEM, and ITSM are included at every plan tier. No per-GB storage fees. No premium-integration paywall.

Migration Is a Short Trip

If you are already running a consumer-grade password manager at the enterprise, Akeyless can meet your users where they are. The browser extension natively imports CSV from 1Password, LastPass, Bitwarden, Dashlane, Keeper, Google Password Manager, and Apple Passwords, plus generic CSV with documented columns. For larger migrations, Akeyless Automatic Migration can pull secrets from external vaults and keep them synchronized during a phased cutover, no big-bang cutover required. The extension runs in parallel with the incumbent; users are never locked out. Rollback, if you need it, is a configuration change.

A typical mid-market rollout looks like this: IdP integration in 1–3 days, MDM-based extension distribution in 1–5 days, optional Gateway deployment for Zero-Knowledge in hours. Minutes of downtime: zero.

Try It

We believe the easiest way to evaluate a password manager is to use it. You can start a 14-day trial today at console.akeyless.io, no credit card, full feature set. For larger evaluations, a 30–60 day POC with a dedicated Sales Engineer, your own IdP, your own MDM distribution, and migration from your incumbent manager is a request away.

If you would like a guided walkthrough, including a live demo of end-to-end encryption, instant share-link revocation with the matching audit event flowing into a SIEM, and Zero-Knowledge with a customer-hosted Gateway, schedule a demo or reach out through your existing Customer Success Engineer.

Workforce password management should not be a separate conversation from the rest of your identity and secrets strategy. With Akeyless Password Manager 2.0, it isn’t.

Learn more at akeyless.io, or dive into the technical details at docs.akeyless.io.

Never Miss an Update

The latest news and insights about Secrets Management,
Akeyless, and the community we serve.

 

Ready to get started?

Discover how Akeyless simplifies secrets management, reduces sprawl, minimizes risk, and saves time.

Book a Demo