KeyForge Team Pro

Enterprise Security at Scale

Team-syncing WebAuthn-compatible security keys for MSPs and organizations. All devices in a team share credentials, allowing any team member to authenticate to shared services.

Contact Sales Compare Products

Features

Team Credential Sync

All team devices derive the same master seed from a shared team code. Credentials sync as metadata only - private keys are never transmitted. Any team device can sign.

Serial-Locked Firmware

Each customer receives firmware locked to their device serial numbers. Firmware IS the license - can't be used on unauthorized devices.

Zero-Knowledge Server

Sync server stores only encrypted blobs. All credential data encrypted client-side with keys derived from the team code. Zero knowledge of credential contents.

Device Revocation

Admin marks device as revoked in server. On next sync, device auto-wipes credentials and team seed. Instant deprovisioning of lost or stolen keys.

Offline Time Limits

RTC-based check-in enforcement. Devices lock after configurable offline duration. Tampering with the RTC triggers automatic credential wipe.

Policy Enforcement

Per-team policies for offline duration, sync intervals, wipe-on-blacklist, and credential expiry. Managed centrally, enforced on device.

WiFi Connectivity

Captive portal setup for WiFi credentials. Automatic sync on boot, periodically while idle, and after any credential change.

Device Authentication

Devices authenticate to sync server using HMAC tokens derived from team code and device serial. No username/password needed.

All KeyForge Features

WebAuthn/CTAP2 + U2F support, Secure Boot v2, NVS encryption, OTA updates, hmac-secret for SSH, and everything else from the base KeyForge.

Technical Specifications

Base Platform

KeyForge (ESP32-S3)

Additional Hardware

DS3231 RTC + CR2032 battery

Connectivity

WiFi 802.11 b/g/n

Sync Protocol

HTTPS with E2E encryption

Counter Strategy

Device index partitioned (device_index << 24 | local_counter)

Max Devices per Team

255

Credential Slots

128 per device (synced)

Offline Capability

Full operation with cached credentials

Architecture

KeyForge Team Pro extends KeyForge with WiFi connectivity and team synchronization:

Customer firmware contains:
├── team_code (secret, for seed derivation)
├── team_id (public, for server identification)
├── allowed_serials[] (list of authorized device serials)
└── sync_server_url

All team devices derive the same master seed from the shared team code:

team_code ─► HKDF ─► team_seed (32 bytes)
                         │
credential_id + team_seed ─► HKDF ─► private_key

Security Model

ThreatMitigation
Stolen deviceUser PIN required, device can be revoked, auto-wipe on blacklist
Server compromiseE2E encryption - server has only ciphertext
Firmware extractionTeam code in firmware, but useless without matching serial
Rogue deviceSerial allowlist in firmware + server-side verification
Device offline too longRTC-based check-in enforcement with tamper protection

Sync Protocol

Credentials sync over HTTPS with end-to-end encryption:

sync_encryption_key = HKDF(team_code, "keyforge-teampro-sync-v1")
encrypted_cred = AES-GCM(sync_encryption_key, credential_data)

Only metadata syncs - private keys are derived locally from the team seed. The server stores only ciphertext with zero knowledge of credential contents.

Use Cases

  • MSPs: Shared access to client infrastructure without password sharing
  • IT Teams: Any team member can authenticate to shared service accounts
  • On-call Rotation: Seamless handoff without credential transfer
  • Compliance: Audit trail of which device authenticated when

Deployment

  1. Provision devices with team-specific firmware via keyforge-provision
  2. Deploy self-hosted sync server or use AuthGrid managed service
  3. Distribute devices to team members
  4. Credentials automatically sync across all team devices

Get Started with KeyForge Team Pro

Ready to take control of your authentication security?

Contact Sales