Questions and Answers

❓ What is AliceKeys?

AliceKeys is a mobile-first, hardware-backed SSH key system. It replaces traditional SSH keys with a secure key stored in your phone’s secure enclave, ensuring that the key never leaves your device and can’t be copied.

❓ Is this like turning my phone into a YubiKey?

Kind of, but with a much better experience. A YubiKey is a physical hardware token—you have to carry it around and plug it in whenever you need to authenticate.

With AliceKeys, your phone is the key, so:

✅ No need to carry extra hardware.
✅ No need to insert anything into your laptop.
✅ You enroll your phone once and use it quickly and seamlessly.

Example:

Instead of reaching for a YubiKey, plugging it in, and tapping it every time you SSH into a server, AliceKeys lets you authenticate instantly using just your phone.

❓ How does it work for SSH?

Your private key is securely stored inside your phone’s secure enclave.
When you SSH into a server, AliceKeys cryptographically signs the request without ever exposing the key.
This means no private key files on your laptop, reducing the risk of theft.

❓ What kind of authentication does AliceKeys use?

It uses FIDO2/WebAuthn standards and short-lived SSH keys.

This ensures that keys can’t be copied or extracted.
Your key is bound to your device and requires biometric authentication (Face ID, fingerprint) or device unlock to use.

❓ What happens if I lose my phone?

If you lose your phone, your key is still safe because:

It’s stored in the secure enclave and can’t be extracted.
You can revoke access for the lost keys.
You must generate a new key from another trusted device and give that key access.

❓ Can it work offline?

Yes, AliceKeys has an offline mode, meaning you can authenticate without an internet connection. However, if needed for security audits, logs can sync later when back online.

❓ Is this open-source?

Not yet, but we’re planning to open-source core components soon. Stay tuned!

❓ Can this be used for enterprise teams?

Yes! We’re working on an enterprise version with:

✅ Centralized key management
✅ Audit logs & compliance tracking
✅ Team access policies

❓ How does AliceKeys help with compliance?

AliceKeys ensures that all SSH keys are generated and stored in a secure enclave, backed by the mobile manufacturer’s attestation. This means:

✅ You can prove that each key is tied to a physical device.
✅ No duplicated, copied, or unmanaged keys floating around.
✅ Easier audits and compliance checks since you know exactly where each key exists.

Example:

Instead of manually tracking SSH key usage, you have guaranteed proof that only one key exists per device, reducing security risks.

❓ How does this make managing remote teams easier?

For global teams, managing hardware security tokens (like YubiKeys) is a logistical nightmare. You need to physically ship them, track them, and replace lost ones.

With AliceKeys:

✅ No shipping required—just enroll a new phone remotely.
✅ Instant deployment—onboard new developers securely in minutes.
✅ No more lost tokens—keys are bound to the user’s device, reducing risk.

Example:

A remote contractor in another country needs SSH access. Instead of mailing them a YubiKey, you remotely enroll their phone, ensuring secure access without delays.

❓ Does AliceKeys make compliance audits easier?

Yes! Since keys are bound to the user’s hardware, it eliminates common compliance headaches like:

✅ No shared or copied SSH keys.
✅ No unmanaged keys lingering in developer laptops.
✅ Clear tracking of which user has access, making audits much simpler.

Example:

During an audit, instead of searching through logs for old keys, you can simply prove that only verified devices hold valid keys—streamlining the compliance process.

❓ Will you support short-lived authentication in the future?

Yes, we’re planning to introduce temporary access approvals for high-security environments.

How it would work:

A developer requests access to a production server.
A system admin approves a short-lived session (e.g., valid for 1 hour).
No need for long-term SSH keys, reducing risk.

Example:

A developer needs to fix a production issue. Instead of giving them permanent SSH access, an admin grants a one-time authentication session—keeping security tight.

❓ Will AliceKeys have a self-hosted version?

Yes! We understand that some organizations need full control over their authentication systems, so we’re working on a self-hosted version that allows you to deploy AliceKeys on your own infrastructure.

No reliance on external SaaS—keep everything in-house.
Full control over user authentication and access policies.
Ideal for security-sensitive industries (finance, healthcare, defense).

Example:

If your company has strict data residency requirements, you can host AliceKeys internally and manage all SSH keys securely within your private network.

❓ Does AliceKeys support enterprise authentication systems like Keycloak or Azure AD?

Yes! AliceKeys is designed to integrate seamlessly with enterprise identity providers like:

Keycloak (OpenID Connect, SAML)
Azure AD (OAuth, SAML)
Okta
Google Workspace
Any system that supports OAuth2 or SAML

Example:

If your company already uses Azure AD for authentication, AliceKeys can extend it to SSH, VPN, and Git signing, ensuring consistent security policies across all systems.

❓ Is AliceKeys ready for OAuth2/SAML integration?

Yes! AliceKeys is built with OAuth2 and SAML compatibility in mind, meaning it can:

✅ Work with your existing SSO setup for authentication.
✅ Enforce role-based access control (RBAC) using enterprise policies.
✅ Ensure short-lived, non-persistent access to sensitive systems.

Example:

A new employee joins your company, and instead of manually managing SSH keys, AliceKeys can automatically enroll them based on their SSO credentials (via Keycloak, Azure AD, or Okta).

❓ Can AliceKeys be used for Zero Trust security models?

Absolutely. AliceKeys fits perfectly into Zero Trust frameworks by ensuring:

✅ Every authentication request is cryptographically signed and verified.
✅ No static SSH keys lingering on laptops.
✅ Authentication is bound to an enrolled device, reducing attack surface.

Example:

Instead of trusting that a device is secure just because it’s inside a corporate network, AliceKeys enforces device-bound authentication, preventing lateral movement in case of a breach.

❓ Can AliceKeys be used for DevOps pipelines & CI/CD security?

Yes! AliceKeys can be used to secure CI/CD pipelines by enforcing cryptographic signing of:

Git commits (signed with AliceKeys)
Code deployments (ensuring authenticity of build artifacts)
Infrastructure automation (secure authentication for Terraform, Ansible, etc.)

Example:

If you want to guarantee that every Git commit in your repository is signed by an authorized developer using AliceKeys, you can enforce mandatory Git signing with SSH authentication.

❓ Can AliceKeys be extended to other authentication workflows?

Yes! The system is modular and extensible, meaning we can add more authentication use cases based on demand, such as:

Short-lived access requests (e.g., admin approval for production access).
WebAuthn-based authentication for internal dashboards.
FIDO2 integration for passwordless logins across corporate apps.

❓ What other features are planned?

We’re exploring:

More enterprise controls for key management.
Additional compliance reporting & logging features.
Proximity-based authentication (e.g., auto-lock when phone is away).

💡 Want to try it out? Join the waitlist 👉 https://alicekeys.com
🚀 Got feedback? Tell us what you think—good, bad, or brutal!