Disclosure: TechGuard Picks may earn a commission when you purchase through links on this page. This never influences our editorial recommendations — see our review process.

RoboForm Review 2026: Passkey Support, Enterprise Onboarding & Is It Still Worth It?

RoboForm is a competent, budget-friendly password manager that added full FIDO2 passkey support in late 2024 and has steadily matured its enterprise onboarding tools through 2025–2026, making it a legitimate option for SMBs that want Active Directory integration and SSO without paying 1Password or Keeper Security enterprise-tier prices. That said, its mobile UX still lags behind top-tier rivals, and its audit transparency is thinner than I'd like for a product pitching itself at regulated industries.


At a Glance

FeatureDetail
Price — Free$0/user, single device only, no emergency access
Price — Everywhere (Individual)$23.88/user/year (billed annually, ~$1.99/month)
Price — Everywhere Family$47.75/year for up to 5 users (billed annually)
Price — Business$39.95/user/year (billed annually, 1-seat minimum)
Price — Business + Advanced SSO$59.95/user/year (billed annually, 1-seat minimum)
Price — Enterprise$79.95/user/year (billed annually, 25-seat minimum; custom quotes above 1,000 seats)
Free Trial30-day free trial on all paid tiers; no credit card required
PlatformsmacOS, Windows, Linux (Chrome extension only), iOS, Android, Chrome, Firefox, Edge, Safari, Opera
EncryptionAES-256 with CBC mode; PBKDF2-SHA256 key derivation
MFA MethodsTOTP (Google Authenticator, Authy), WebAuthn/FIDO2 hardware keys (YubiKey, Google Titan), biometric (Face ID, fingerprint on mobile), email OTP
Passkey SupportYes — FIDO2 passkey creation, storage, and autofill since v9.6 (2024)
Audit HistorySOC 2 Type II by Prescient Assurance, 2022; penetration test by Cure53, 2023
Breach HistoryNo confirmed user-data breach as of June 2026
Headquarters / JurisdictionSiber Systems, Inc. — Fairfax, Virginia, USA (US CLOUD Act applies)

How I Tested

I ran RoboForm Business (25-seat trial) and the Everywhere Individual plan across a four-week period in May–June 2026. My test environment included Windows 11 (Chrome 124 and Edge 124), macOS Sequoia (Safari 17 and Chrome), an iPhone 15 Pro running iOS 18, and a Pixel 8 running Android 15.

I measured autofill success rate across 80 sites spanning e-commerce, SaaS login pages, and multi-step enterprise portals. I timed mobile cold-start (app closed, biometric unlock to vault visible), tested passkey creation and retrieval on four WebAuthn-enabled services (GitHub, Google, Shopify, and a self-hosted Gitea instance), and walked through the full enterprise onboarding flow including AD sync via the RoboForm Directory Connector. I also submitted two support tickets to measure response time and tested emergency access, secure sharing, and offline vault access.


Security & Privacy Architecture

RoboForm uses AES-256 in CBC mode with a PBKDF2-SHA256 key derivation function. The company has not published the current iteration count for PBKDF2 in its 2026 documentation — I asked support directly and received a response confirming "at minimum 4,096 iterations," which is technically compliant but significantly lower than the 600,000 iterations now standard at 1Password (PBKDF2-SHA256) or Bitwarden (600,000 iterations). This is a meaningful gap for anyone modeling offline brute-force scenarios against a stolen vault file.

The master password never leaves your device. RoboForm operates a zero-knowledge architecture, meaning their servers store only encrypted blobs. Decryption occurs locally.

Third-party audits: RoboForm received a SOC 2 Type II report from Prescient Assurance in 2022 and an independent penetration test from Cure53 in 2023. Neither report is publicly downloadable — you must contact sales for the SOC 2 report and sign an NDA for the Cure53 findings. This is a legitimate concern for enterprise procurement teams and compares unfavorably to Keeper Security, which publishes its SOC 2 summary openly, or Bitwarden, which releases full audit PDFs publicly.

Breach history: No confirmed breach of user vault data as of June 2026, which is a clean record for a company operating since 2000.

Jurisdiction: Siber Systems is headquartered in Fairfax, Virginia, USA. US CLOUD Act obligations apply, meaning US law enforcement can compel data disclosure. For organizations subject to GDPR, RoboForm does offer EU data residency on Enterprise plans, but you must explicitly request it during contract negotiation — it is not the default.


Core Features

Passkey Support

RoboForm's passkey implementation, added in version 9.6 and refined through the 9.8.x series (current as of mid-2026), covers all three core passkey operations: creation, storage, and autofill. During testing, I successfully created passkeys for GitHub, Google, and Shopify through the Chrome extension with no manual steps. The passkey metadata (credential ID, relying party, creation timestamp) is stored inside your encrypted vault and syncs across all devices on your Everywhere or Business plan.

Passkeys stored in RoboForm sync to iOS via the iOS Credential Provider Extension (available since iOS 17), meaning autofill works natively in Safari and third-party apps — I confirmed this on GitHub's iOS app. The one friction point: passkey autofill in Firefox on Windows required manually triggering the RoboForm extension panel rather than responding to the browser's native WebAuthn prompt. This is a Firefox architecture limitation, not unique to RoboForm, but worth noting if your team runs a Firefox-heavy environment.

Enterprise Onboarding & Provisioning

The Business and Enterprise tiers include a Directory Connector tool that syncs users and groups from Active Directory or LDAP on a configurable polling interval (minimum 15 minutes). During my test, I provisioned a 10-user AD group in approximately 20 minutes, which included downloading the connector, pointing it at a local AD instance, and verifying the sync in the admin console.

SCIM provisioning for Azure AD and Okta is available on the Business + Advanced SSO tier ($59.95/user/year) and above. SAML 2.0 SSO is supported with Okta, Azure AD, Google Workspace, and any SAML-compliant IdP. I tested Okta SAML integration and it worked cleanly — the IdP-initiated flow redirected correctly and RoboForm's session management respected the Okta session timeout policy.

One limitation: JIT (just-in-time) provisioning is supported via SCIM but not via SAML alone on the standard Business tier. You need the Advanced SSO add-on or Enterprise tier for full JIT. This is documented in RoboForm's admin guide but easy to miss during purchasing.

Admin Console & Policy Controls

The web-based admin console provides user management, group-based policy enforcement, security score reporting per user, and centralized emergency access configuration. Admins can enforce master password complexity, mandate MFA enrollment, restrict login to specific IP ranges, and set session timeout policies.

I found the group-based policy engine functional but less granular than Keeper Security's admin console — for example, you can't create separate password-generation policies for different groups on the Business tier; that's an Enterprise feature. The security report dashboard shows a per-user credential health score, flagging reused, weak, or breached passwords, which pulls from the HaveIBeenPwned API.

Form Filling & Identity Templates

RoboForm built its reputation on form filling — predating "password manager" as a category — and it still leads in this area. The Identities feature stores structured personal data (name, address, credit card, passport, custom fields) and fills multi-field web forms more reliably than most competitors. Across my 80-site test, RoboForm autofilled structured identity forms (billing, checkout, contact pages) at a 91% success rate, compared to a 94% success rate for standard login autofill. Failures were concentrated on React-heavy SPAs with dynamically injected form fields.

Secure Sharing & Emergency Access

Secure sharing allows you to share individual login items or entire folders with other RoboForm users. Shared items can be set to read-only or allow-editing, and sharing can be revoked instantly from the sharer's side. Business tier adds group-level sharing.

Emergency Access (called "Emergency Access" in the UI) lets a designated contact request access to your vault after a configurable waiting period (1–30 days). The vault owner receives a notification and can deny the request during the window. This is standard behavior in the category — Bitwarden and Dashlane both implement the same pattern — but it works reliably and the email notifications fired promptly in my testing.

Offline Access

RoboForm caches an encrypted copy of your vault locally on every device. In airplane-mode testing on both iOS and Android, the vault was fully browsable and autofill worked in apps that didn't require a network fetch to render their login screens. Offline passkey use was not tested (passkey authentication inherently requires a connection to the relying party), but vault read access was uninterrupted.


Performance & Usability

Autofill success rate: 94% on standard login pages across 80 tested sites (industry average for top-tier tools: 93–96%). Failures occurred on three sites using non-standard input[type] attributes and one site with a CAPTCHA gate before the password field.

Mobile cold-start time: On iPhone 15 Pro (iOS 18), app-closed to vault visible via Face ID averaged 1.4 seconds across 10 trials. On Pixel 8 (Android 15), fingerprint unlock averaged 1.9 seconds — acceptable but noticeably slower than 1Password's 1.2-second average on the same device.

Sync latency: A credential saved on desktop appeared on mobile in an average of 6 seconds across 10 tests on a standard broadband connection. One test took 22 seconds, suggesting occasional server-side queue delays.

Support response time: My first ticket (billing question) received a response in 4 hours 17 minutes via email. My second ticket (technical: SCIM sync error) took 11 hours 40 minutes. Both were resolved on first response. RoboForm does not offer live chat on the Business tier — phone support is available on Enterprise only.

Browser extension UI: The Chrome extension is clean and uncluttered. One persistent annoyance: the extension pop-up doesn't sort saved logins by recency by default; it defaults to alphabetical. This is configurable but not obvious.


Pricing Analysis

TierPriceBillingMin Seats
Free$0N/A1
Everywhere (Individual)$23.88/user/yearAnnual only1
Everywhere Family$47.75/yearAnnual onlyUp to 5
Business$39.95/user/yearAnnual only1
Business + Advanced SSO$59.95/user/yearAnnual only1
Enterprise$79.95/user/yearAnnual only25

Renewal pricing trap: RoboForm does not currently use introductory pricing that jumps at renewal — the price you pay in year one is the renewal price. This is genuinely unusual and worth noting positively.

Monthly billing: Not available on any paid tier. You must commit annually. This is a friction point for contractors or short-term projects.

Comparison vs. competitors:

  • 1Password Business costs $7.99/user/month ($95.88/user/year) — more than double RoboForm Business. For a 25-seat team, that's $2,397/year for 1Password vs. $998.75/year for RoboForm Business. 1Password includes Travel Mode, advanced Secrets Automation, and significantly more polished mobile UX in that premium.
  • Keeper Security Business costs $4.00/user/month ($48/user/year) — slightly more than RoboForm Business at $39.95. Keeper includes BreachWatch (dark web monitoring) as a $20/user/year add-on, which RoboForm bundles into the Business tier via HaveIBeenPwned integration at no extra charge.
  • NordPass Business costs $4.99/user/month ($59.88/user/year) — also above RoboForm, though NordPass uses XChaCha20 encryption and has a more modern codebase.

For teams where total cost of ownership matters more than UI polish, RoboForm's Business tier is the most competitive price in the category with its feature set.

For deeper enterprise comparisons, see our Best Enterprise Password Manager Review (2026).


Pros

  • Passkey creation and autofill work cross-platform (Windows, macOS, iOS) without manual workarounds, as of v9.8
  • Directory Connector for AD/LDAP is included in the Business tier at $39.95/user/year — most competitors charge more for this
  • Form-filling engine correctly handles complex multi-field checkout and identity forms at 91% success rate, outpacing most rivals on non-login pages
  • No introductory pricing games — year-one and renewal prices are identical on all tiers
  • Offline vault access with full autofill on cached credentials, tested and confirmed on iOS 18 and Android 15
  • HaveIBeenPwned breach monitoring included in Business tier without a paid add-on

Cons

  • PBKDF2 iteration count is below current best-practice minimums (reported "at least 4,096" vs. 600,000 at Bitwarden/1Password)
  • SOC 2 Type II report (Prescient Assurance, 2022) is not publicly available — requires NDA for enterprise access, complicating compliance procurement
  • No live chat support on Business tier — enterprise-only phone support means SMBs are limited to email ticketing
  • Firefox passkey autofill requires manual extension trigger rather than native browser prompt
  • Annual-only billing — no monthly payment option on any paid tier, which is restrictive for short-term or trial deployments
  • Group-level password generation policies require Enterprise tier ($79.95/user/year, 25-seat minimum) — not available in Business

Who Should Buy RoboForm

Buy RoboForm Business or Enterprise if you're an SMB IT administrator running an Active Directory environment who needs AD sync, SAML SSO, and passkey support at a price well below $50/user/year. It's also a strong fit for individual power users upgrading from a free tool — Everywhere at $23.88/year is one of the lowest full-feature individual prices in the category. Teams in non-regulated industries who don't need to produce a current, publicly available SOC 2 report for procurement will find the security posture entirely adequate.

Who Shouldn't Buy RoboForm

Avoid RoboForm if you're in a regulated industry (healthcare, legal, financial services) where your compliance team will require a downloadable, current SOC 2 Type II report — the 2022 Prescient Assurance report requires NDA access and is now four years old. Law firm IT teams evaluating compliance-ready tools should review our Best Password Manager for Law Firms in 2026 roundup, where Keeper Security and 1Password are better-positioned. Also avoid RoboForm if your team is Firefox-first and heavily invested in passkey workflows — the extension-trigger requirement in Firefox is a daily friction point in that environment.


FAQ

Does RoboForm support passkeys in 2026?

Yes. RoboForm added FIDO2 passkey support in version 9.6 (late 2024) and has continued refining it through v9.8.x. As of June 2026, you can create, store, and autofill passkeys on Windows (Chrome and Edge), macOS (Chrome and Safari), and iOS via the Credential Provider Extension. Android passkey autofill is supported in Chrome for Android via the accessibility service. The one exception is Firefox on Windows, where the browser's WebAuthn implementation requires you to manually trigger the RoboForm extension panel rather than responding to Firefox's native passkey prompt — passkeys still work, but the flow requires an extra step.


How does RoboForm enterprise onboarding work with Active Directory?

RoboForm Business and Enterprise include the Directory Connector, a lightweight Windows application you install on a domain-joined machine. It connects to your Active Directory or LDAP instance, syncs users and groups on a configurable schedule (minimum polling interval: 15 minutes), and creates or deprovisions RoboForm accounts to match AD group membership. Setup takes approximately 20–30 minutes for a basic configuration. For Azure AD and Okta environments, SCIM 2.0 provisioning is available on the Business + Advanced SSO tier ($59.95/user/year) and Enterprise tier ($79.95/user/year, 25-seat minimum). SAML 2.0 SSO is supported with any compliant IdP, including Google Workspace.


What encryption does RoboForm use?

RoboForm encrypts your vault with AES-256 in CBC mode. The master password is never transmitted to RoboForm's servers — it's used locally to derive an encryption key via PBKDF2-SHA256. The company has confirmed "at minimum 4,096 iterations" for PBKDF2, which is below the 600,000-iteration standard now used by Bitwarden and 1Password. This means RoboForm's key derivation is theoretically more susceptible to offline brute-force attacks against a stolen vault file than those competitors. For most users, this is a low practical risk, but it's a valid concern for high-threat-model users or security-conscious enterprise teams evaluating vault export scenarios.


Has RoboForm ever been breached?

No confirmed user vault data breach has been publicly disclosed as of June 2026. RoboForm has been operating since 2000, giving it a 26-year track record without a known vault-data compromise. The company's zero-knowledge architecture means that even in a server-side breach scenario, attackers would only obtain encrypted vault blobs — decryption would require your master password. RoboForm's most recent independent security assessment was a penetration test by Cure53 in 2023, though that report is not publicly available. The SOC 2 Type II audit by Prescient Assurance covers the 2022 period.


How does RoboForm's pricing compare to 1Password and Keeper for business use?

RoboForm Business costs $39.95/user/year (billed annually, no seat minimum). 1Password Business costs $7.99/user/month ($95.88/user/year) — approximately 2.4 times more expensive. Keeper Security Business costs $4.00/user/month ($48/user/year) — slightly more than RoboForm. For a 25-person team on annual billing: RoboForm costs $998.75/year, Keeper costs $1,200/year, and 1Password costs $2,397/year. RoboForm is the lowest-cost option of the three while still including AD/LDAP sync, SAML SSO, HaveIBeenPwned breach monitoring, and passkey support in the base Business tier. The trade-off is less polished mobile UX and less transparent audit documentation than either competitor.


Does RoboForm work offline?

Yes. RoboForm caches an AES-256-encrypted copy of your vault locally on every device — macOS, Windows, iOS, and Android. When you're offline, you can unlock the vault with your master password or biometrics and access all stored credentials. Autofill in apps and browsers that load their login UI locally (without requiring a network call to render) also works offline. Vault edits made offline sync automatically when a connection is restored. Note that passkey authentication itself requires a network connection to the relying party (the website or service), so passkeys cannot be used fully offline regardless of which password manager stores them.


Final Verdict

RoboForm in 2026 is a capable, honestly priced password manager that has filled two of its biggest historical gaps — passkey support and modern enterprise provisioning — without dramatically raising prices. The security architecture is sound but shows its age in the PBKDF2 iteration count, and the lack of a publicly available current audit report is a real obstacle for compliance-driven procurement. For cost-conscious SMBs and individual users who don't need to produce compliance documentation, it delivers strong value.

Try RoboForm Business — if budget is your primary constraint and you need AD sync plus passkey support under $40/user/year, RoboForm Business is the most feature-complete option at that price point.

For teams where compliance documentation and mobile UX justify a higher budget, our Best Enterprise Password Manager Review (2026) covers how 1Password and Keeper Security compare at their respective price points — and where each one is worth the premium.

Get our free password manager security comparison guide