An operations lead enrolls the exchange TOTP seed by scanning its QR code in the Castle app. Castle splits the seed and stores the shares; the seed itself is never stored whole.
Two policies bind to the same seed: an NYC policy and a Singapore policy, each with its own requestor group, geofence, and 1 hour access window. No approvers; access is instant.
Traders install the Castle app and enroll phones backed by the device’s hardware enclave. An admin approves each first device.
A trader taps the account in the app. Castle checks group membership and that the device geolocates inside the permitted region.
On a valid request, the enclave reconstructs the seed, generates codes for the window, encrypts them to the trader’s device key, and destroys the seed material.
Every code display is logged with timestamp, user, device, and resource. When a trader departs, revoking their device ends access with no seed rotation and no password resets.
Enrollment, requests, and code display. Codes decrypt locally, show with a live countdown, and purge on expiry.
Per desk policies on one seed: requestor group, geofence, access window. Simple, auditable, scoped.
The only place the seed is ever whole. Generates RFC 6238 codes for the window, encrypts, and forgets.
Each phone holds a hardware backed keypair; code chunks are encrypted to the requesting device only.
Every enrollment, request, and display, visible to operations, security, and compliance.
The firm finally gets 2FA on exchange accounts without operational deadlock: codes are available to both desks around the clock, inside their own geofences.
Departure risk drops from rotate every password on every exchange to revoke one device.
The seed never exists outside the enclave after enrollment; a stolen phone yields only expired ciphertext.
Geofencing is policy enforced at request time, so a valid credential from the wrong region is still denied.
Walk through the trust model, policy design, and rollout with our security and solutions team.