Allod, answered straight.

Allod is the self-custody carrier: a US phone plan on AT&T and T-Mobile. Every account operation on your line, including SIM changes, eSIM reissues, port-out, recovery resets, and policy edits, is gated by a signature from the wallets, multisigs, hardware keys, or passkeys you already hold. Same self-custody setup you trust with your money, now governing your phone line.

Three things, in order. First, architecture: multi-key configurability is the wedge. Multisig (Safe), hardware keys (Yubikey, Ledger, Trezor), passkeys, recovery quorums, and per-operation timelocks you set. Second, we sell to people, not companies. Your line is yours. A firm or team can be added as a co-signer, but that is a capability, not the product. Third, we anchor the threat where it actually lives: your phone number is the silent recovery factor behind your bank, your brokerage, the IRS, your Apple ID, and your Google account.

Your phone number is the silent recovery factor behind your bank, your brokerage, the IRS, your Apple ID, and your Google account. Harden everything else and a SIM-swap of your personal cell still ends you. The FTX defendants lost $400M to a SIM-swap crew. T-Mobile paid a $33M arbitration in March 2025 over one. NIST SP 800-63B-4 has been steering high-assurance flows off SMS for years. Kraken tells customers to disconnect their phone from security functions. The wedge is treating the line as an account, not a service.

Allod is in pre-launch. The waitlist is open. The pilot targets a first cohort of high-stakes individual lines, then opens to broader signups as the policy and signing infrastructure are exercised. The site labels modules as Live, Beta, Planned, or Roadmap so the claim and the artifact never drift.

Any combination you configure: a Safe multisig, hardware keys (Yubikey, Ledger, Trezor), passkeys, or a recovery quorum of named guardians. You set the threshold per operation. A port-out can require a 2-of-3 hardware quorum with a 24-hour timelock. A policy edit can require everything. A routine SIM swap on a known device can be lighter.

Recovery is a first-class operation, not a help-desk override. You pre-name a recovery quorum (guardians, a second hardware key, a passkey on a separate device, or a Safe you control). The quorum signs a recovery proposal. A timelock you set runs. You can cancel during the window from any other key on the account. We do not have a phone number to call to bypass this. That is the point.

Yes. Co-signing is a capability you can add or remove. A treasury Safe, a security-team key, or a legal-counsel quorum can be required on sensitive operations like port-out or recovery. The line stays yours. You can drop the co-signer at any time, subject to the timelock you set when you added them. This is the right shape for an executive, a treasury signer, or a security engineer whose personal SIM is the soft underbelly of a professional role.

Every account operation can carry a timelock. A timelock is a delay window during which any other authorized key on your account can cancel the operation. It is the structural answer to a stolen key or a coerced signature. Set short delays for low-stakes operations and longer delays for the operations that would end you.

Cape gates account access with a single device-bound BIP-39 phrase. Cape's own docs say the phrase is what you use when you replace your phone or get a new number, and that you should never share it with anyone, including Cape representatives. By that design, if you lose the phrase there is no support path back into the account. Allod is multi-key by design: any number of keys, any policy you choose, with recovery quorums and timelocks. No single lost device, lost phrase, or compromised employee ends your number. Different threat model, different default.

Efani runs an 11-step concierge with a 14-day human cool-off before changes ship, at $99 per month, $89 at five or more lines. That is human friction applied well. Allod replaces human friction with cryptographic gating: the only path that moves your line is a signature from a key you hold, executed by policy you set. No agent has a button that bypasses your keys, because the button does not exist.

AT&T, T-Mobile, and Verizon authenticate you with facts that are already in public breach data: name, date of birth, address, last four of SSN. A store rep with a screen and a manager override can move your line. T-Mobile alone paid a $33M arbitration in March 2025 over a SIM-swap. Same number, same network, but only your keys can move it.

No. CALEA (47 USC 1002) requires every US carrier, including MVNOs, to deliver targeted communications on a valid court order. Allod's keys gate your account operations (who can change your SIM, port your number, reset your account), not the radio path. We say this openly because security products that overclaim get caught later.

No. Per GSMA SGP.22, the SM-DP+ provisioning server and the underlying carrier hold the cryptographic keys that install or revoke an eSIM profile. Allod gates the request layer: whether we will instruct the SM-DP+ to make a change. This is the same architectural reality that applies to Cape, Efani, and every other MVNO.

Lawful carrier obligations (CALEA), the SIM cryptography itself (GSMA SGP.22), SS7 and Diameter network-layer attacks, host-network actions, and device compromise. Signing gates the request layer, which is where SIM-swaps happen. It does not redesign the cellular radio.

Unhackable. Unswappable. Impossible. Allod reduces account-takeover risk by removing the human override path that every other US carrier still operates, and by gating account operations on signatures from keys you already hold. Anything beyond that is a marketing claim we do not make.