How do ephemeral credentials work?

When a user authenticates (via SSO, MFA, or hardware key), MnemoShare issues a short-lived JWT with a configurable expiration (default 60 minutes). The token grants access to authorized resources and expires automatically. No keys to rotate, revoke, or manage.

What SSO providers does MnemoShare support?

MnemoShare supports any OIDC or SAML 2.0 provider including Azure AD, Okta, Ping Identity, Google Workspace, and Keycloak. Federated SSO allows partner organizations to use their own identity provider.

What is hardware mTLS?

Hardware mutual TLS binds authentication to a physical device — YubiKey PIV, Apple Secure Enclave, or TPM 2.0. The private key is generated on-device and cannot be exported, copied, or stolen. This provides NIST 800-63B AAL3 assurance.

Can I enforce MFA for all users?

Yes. MFA (TOTP-based) can be enforced organization-wide with no exceptions. Backup codes are provided for recovery. Combined with SSO, this ensures every user identity is verified before any file operation.

Identity & Access Control

SSO, MFA, hardware-backed identity, and ephemeral credentials — no standing access, no permanent keys.

Ephemeral JWTs•Hardware mTLS•SSO/SAML•MFA Enforcement

Ephemeral Credentials

Short-lived JWTs replace permanent SSH keys and service account passwords. Nothing to rotate, revoke, or forget.

SFTP's single most exploited weakness is that possession of a key equals authorization. MnemoShare eliminates this entirely — credentials expire automatically, and every action is bound to a verified identity.

Short-lived JWTs replace permanent SSH keys and service account passwords
Credentials expire automatically — nothing to rotate, revoke, or forget
60-minute token lifetime by default, configurable per organization
No credential sprawl, no key management burden, no keys in Git repos
Every file operation bound to a verified identity, not just a key

SSO & MFA

Federated identity with any OIDC or SAML 2.0 provider, enforceable MFA, and role-based permissions.

SSO integration via OIDC and SAML 2.0 — Azure AD, Okta, Ping Identity, Google Workspace, Keycloak
MFA enforcement (TOTP) with backup codes, enforceable for all users with no exceptions
Role-based permissions with per-collection scoping for granular access control
Domain whitelisting for trusted partner organizations

Hardware mTLS

Enterprise+

Optional mutual TLS with non-exportable private keys bound to physical hardware.

Private keys never leave the hardware device — even if the endpoint is compromised, the credential cannot be exfiltrated.

Optional mutual TLS with non-exportable private keys
Supported hardware: YubiKey PIV, Apple Secure Enclave, TPM 2.0
Certificate authority via Step-CA integration
NIST 800-63B AAL3 compliant for authentication assurance
Private keys never leave the hardware device — credential cannot be exfiltrated even from a compromised endpoint

Beyond traditional MFT

Most managed file transfer platforms were designed before modern threats existed. Here is how MnemoShare compares.

Capability	Traditional MFT	MnemoShare
Credentials	Permanent SSH keys shared across teams	Ephemeral JWTs — auto-expire in 60 minutes, nothing to rotate
Identity verification	Key possession = authorization	Every action bound to a verified identity via SSO + MFA
MFA	Optional or not available	Enforceable TOTP for all users, no exceptions
Hardware security	Software keys on disk	Non-exportable keys on YubiKey, Secure Enclave, or TPM 2.0
Key management	Manual rotation, sprawl across repos and servers	No keys to manage — ephemeral tokens issued on demand

Real-world use cases

Eliminating SSH key sprawl

Organization replaces 500+ SSH keys across 12 servers with MnemoShare ephemeral JWTs. No more keys in Git repos, shared drives, or departing employees' laptops. Access revocation is instant — disable the user, tokens expire automatically.

Hardware-bound access for regulated data

Hospital requires NIST 800-63B AAL3 for accessing patient records. MnemoShare mTLS with YubiKey PIV ensures private keys never leave the hardware device. Even a compromised workstation cannot exfiltrate the credential.

Zero-trust partner access

Financial institution grants partner organization time-limited access to specific folders via domain whitelisting + SSO federation. No VPN, no shared credentials, no standing access. Every download logged with verified identity.

Frequently asked questions

How do ephemeral credentials work?: When a user authenticates (via SSO, MFA, or hardware key), MnemoShare issues a short-lived JWT with a configurable expiration (default 60 minutes). The token grants access to authorized resources and expires automatically. No keys to rotate, revoke, or manage.
What SSO providers does MnemoShare support?: MnemoShare supports any OIDC or SAML 2.0 provider including Azure AD, Okta, Ping Identity, Google Workspace, and Keycloak. Federated SSO allows partner organizations to use their own identity provider.
What is hardware mTLS?: Hardware mutual TLS binds authentication to a physical device — YubiKey PIV, Apple Secure Enclave, or TPM 2.0. The private key is generated on-device and cannot be exported, copied, or stolen. This provides NIST 800-63B AAL3 assurance.
Can I enforce MFA for all users?: Yes. MFA (TOTP-based) can be enforced organization-wide with no exceptions. Backup codes are provided for recovery. Combined with SSO, this ensures every user identity is verified before any file operation.

Ready to see MnemoShare in action?

Start a free trial, schedule a walkthrough, or dive into the docs.

Start Free Trial Request a Demo View Documentation