The hardest part of using a password manager is the first ten minutes.
Most apps drop you into a feature-rich, decision-heavy interface and ask you to figure it out. Pick a master password (no help on what makes a good one). Decide whether to enable biometrics (no explanation of what gets stored where). Pick a vault name. Sync to the cloud (which cloud, with what consequences). Add your first credential. Set up two-factor authentication. Configure auto-lock. Configure clipboard timeout. Connect a browser extension. Choose recovery options.
It's not that those decisions don't matter. They do. It's that asking someone to make all of them in their first session is the surest way to create an abandoned vault.
In v3.0.0, SecureKeep ships a 6-step first-run wizard that does the opposite. The wizard is opinionated where it can be, optional where it should be, and aimed at one specific user: the household digital steward — the person who is going to set this up not just for themselves, but for their spouse, their parents, eventually their kids. Six steps. Three of them skippable. Roughly six minutes of focused attention.
Here is what each step does and why we built it that way.
Step 1 — Name Your Vault
The wizard opens by asking what to call this vault. Not a generic "Welcome to SecureKeep" splash. Not a tour of features. A specific question: whose vault is this?
The default suggestion is "My Vault." A first-time user can accept it and move on. A user setting up a family-of-four arrangement might type "Mum's Vault" or "Aarav's Vault" or "Joint Household."
This is intentional. SecureKeep's multi-vault model treats vaults as belonging to people, not to abstract categories. A household digital steward will eventually maintain multiple vaults on the same device — one for themselves, one for an aging parent, one for a child's school accounts. Naming the first vault correctly sets the mental model from the start.
You can rename a vault later (Settings → Vault → Rename). The first-run name isn't permanent.
Step 2 — Choose a Master Password
This is the most consequential step in the entire setup. The master password is the only key into the vault. It is not stored anywhere — only a verification token derived from it lives on the device, and the actual derived encryption key exists only in memory while the vault is unlocked.
Most setup wizards either accept whatever you type, or apply a binary "is it 8 characters?" check that's barely better than nothing. SecureKeep's wizard runs zxcvbn (Dropbox's open-source password strength estimator) on whatever you type, in real time, and shows you a strength score from 0 to 4. You can't proceed below score 2.
Why zxcvbn rather than a character-count rule? Because Password123! passes any character-count rule and fails zxcvbn instantly — it's a top-100 password with a predictable suffix. Real strength is a function of entropy, not surface complexity. zxcvbn measures it correctly.
The wizard also asks you to confirm the password by typing it twice. There's no "show password" toggle on this screen — we don't want a master password ending up in autocomplete, screen recordings, or shared screenshots taken during the moment someone is helping a parent set up their vault.
A note on what to choose: a four-word passphrase ("garden bicycle stove forest") scores well, is memorable, and is easy to type even on a phone keyboard. We recommend that pattern explicitly. The wizard's strength meter will agree.
Step 3 — Biometrics, Optional
If your device supports Face ID, Touch ID, or fingerprint authentication, the wizard offers to enable biometric unlock for this vault. The choice is yours.
The honest tradeoff:
- With biometrics on, the data encryption key is stored in iOS Keychain (or Android Keystore) protected by biometric authentication. Day-to-day unlock takes a glance or a touch. The master password remains a fallback.
- With biometrics off, every unlock requires the master password. Slower, more friction, marginally fewer attack surfaces.
The wizard frames this honestly. "Skip biometrics for now" is a first-class button, not a hidden option. You can turn biometrics on or off later from Settings.
This step is also where the vault gets created. When you tap Create Vault, several things happen at once:
- A 256-bit data encryption key (DEK) is generated using the OS's cryptographically secure random number generator (
expo-crypto). - A random salt is generated. Your master password plus the salt is fed through PBKDF2-SHA256 at 600,000 iterations to produce a derived key.
- The derived key wraps the DEK using AES-256-GCM. The wrapped DEK is what's stored on disk.
- A verification token is created so the vault can confirm a future master-password attempt without storing the password itself.
- The vault file structure is initialized in the device's encrypted SQLite database.
If biometrics are enabled, the DEK is also stored in iOS Keychain or Android Keystore with requireAuthentication: true. Otherwise it's only ever derived from your master password at unlock time.
This is the moment the vault becomes a real thing. Everything before this step was preparation.
Step 4 — Add Your First Password (Skippable)
The wizard offers to add your first credential here. Not as homework — as a way to try the thing you came here to do.
If you accept, you go through the same Add Credential flow that lives elsewhere in the app: label, username, password (with the password generator one tap away), URL, optional fields. The wizard waits, sees you save the credential, and advances when you do. It also notices if you back out — there's no penalty for skipping, no "are you sure?" prompt, and no progress bar that judges you for skipping.
If you skip, the vault is still fully functional. You can add credentials any time from the dashboard.
The reason this step exists is empirical: users who add even one credential during the setup wizard return to the app the next day at roughly twice the rate of users who don't. The conversion isn't because of the credential itself — it's because the act of adding one converts the abstract idea ("I'm using a password manager now") into a concrete experience ("I just added my Gmail password and watched it get encrypted").
We don't force this. But we make it the path of least resistance.
Step 5 — Create Your First Backup (Skippable)
Step 5 is the one most setup wizards omit entirely.
A local-only password manager has one specific way to lose access to your vault: lose the device. Cloud-synced products solve this with sync — your vault is on three other devices. SecureKeep solves it with encrypted backup files.
The wizard prompts you to create your first backup file at the moment you have the least in your vault. This is exactly when most people will skip it ("I just have one password, why bother?") — and exactly the moment the muscle memory of "this vault has a backup" is most worth building.
The backup is:
- A single
.securekeepfile - Encrypted with a passphrase you choose at backup time (separate from your master password — and we explain why on the screen)
- Restorable on any device, any version of SecureKeep
- Yours to store wherever — iCloud Drive, Google Drive, USB stick, a fireproof box, an email to yourself
The wizard offers to share the backup file via the system share sheet (Files, AirDrop, email, iCloud Drive, Google Drive). Where you store it is up to you. We don't see the file. We don't want to.
If you skip this step, the wizard doesn't nag. The backup feature is reachable later from Settings → Backup. But the wizard is the moment the question lands most cleanly.
Step 6 — You're Ready
The final screen is short. It says, effectively, you're ready, here's what to do next.
Three suggested next steps surface on this screen:
- Set up your Emergency Card — medical info, contacts, insurance, physician. The Emergency Card is the artifact most users open most often, and the screen says so.
- Import passwords from your old manager — links to the CSV import flow for Chrome, Edge, Brave, Apple Passwords, LastPass, Bitwarden, 1Password, or Dashlane.
- Add another vault — for your spouse, your parent, your child. The multi-vault story is part of the product, not a hidden feature.
You tap Go to my vault and you're at the dashboard.
The wizard doesn't run again. A flag (setup_wizard_completed) is written to AsyncStorage, and any subsequent vault creation goes through the simpler vault-creation flow instead.
What the Wizard Doesn't Do (And Why)
A few decisions about what we left out of the wizard, on purpose:
No tour of features. Tours are how products acknowledge their UX is too complicated to be self-evident. The wizard does the work of getting you to a usable vault — and trusts the actual app to teach the rest by being usable.
No cloud-account creation. Because there is no cloud account. There is no SecureKeep server. You don't sign up for anything. The vault on your phone is the entire product.
No "verify your email" step. Same reason. There is nothing to verify because there is no email on file.
No nag for biometrics, backup, or first credential. All three are skippable, all three are first-class buttons, none of them have a "no thanks" buried in small grey text at the bottom of the screen. We don't believe in dark patterns at the moment a user is trying to trust us with their passwords.
No progress meter that punishes skipping. The progress bar shows you which step you're on, not whether you "completed" the wizard correctly.
How Long This Actually Takes
Roughly six minutes, in our usability testing, for the median user. Distribution looks something like:
- Naming the vault: 30 seconds
- Choosing a master password (the slow step): 60–120 seconds, depending on whether you have a passphrase pattern in mind
- Biometrics: 15 seconds (or skipped)
- First credential: 90 seconds (or skipped)
- First backup: 60–90 seconds (or skipped)
- Final screen: 15 seconds
Skipping every optional step ends the wizard in roughly 90 seconds. Doing every step ends it in roughly 6 minutes. Both paths produce a working, encrypted vault.
The point isn't speed. It's that the wizard respects the time you're spending and doesn't ask for more attention than the step needs.
Frequently Asked Questions
Can I redo the setup wizard later? Not directly — the setup_wizard_completed flag is one-way. You can create additional vaults at any time via the standard vault-creation flow, which has all the same steps without the wizard framing.
Does the wizard work the same on Android and iOS? Yes. Same six steps. Same skippable options. Biometrics step uses Touch ID/Face ID on iOS and the platform fingerprint API on Android.
What if I forget the master password I set during the wizard? If you have an encrypted backup file and remember the backup passphrase, you can restore the backup on a new device — but you'll need the master password used at backup time. If both the master password and any biometric path are lost and you have no backup, the vault content is unrecoverable. This is the trade for the local-only architecture; there is no SecureKeep server to issue a password reset.
Can I create more than one vault during the wizard? No — the wizard creates exactly one vault. Additional vaults are created later from the vault picker.
Is the wizard required for App Store / Play Store demo accounts? Demo Mode bypasses the wizard and lands directly on a pre-populated demo vault. The wizard is the path for real first-time users.
Can I import a CSV during the wizard? Step 4 ("Add your first password") is a single-credential flow. The bulk CSV import lives one tap away from the dashboard after setup. Many users skip Step 4 in the wizard and head directly to Settings → Tools → Import from CSV to bring in 200 passwords at once. Either path works.
What changed compared to v2 onboarding? v2 had a single combined "create vault" screen with all decisions on one page. v3.0.0 split it into the wizard so users could engage with each decision in turn, and so the optional steps (first credential, first backup) could be offered without cluttering the create-vault screen for users who already know what they're doing.
Related reading:
- The Emergency Card: A One-Page Document That Could Save Your Family Hours
- How to Import Passwords from LastPass to SecureKeep
- Where to Store Backup Codes Safely (And Share Them With Your Spouse)
- Why SecureKeep Has No Login Screen: The Local-Only Vault Explained
SecureKeep is a $7.99 one-time-purchase encrypted vault for iOS and Android. Multi-vault, emergency cards, voice messages, password health, structured 2FA, CSV import from seven password managers — all encrypted locally, no cloud account required. See all features →