Castle reference architectures/SaaS

Geofenced exchange access for trading desks

Two desks, one exchange account. Traders in NYC and Singapore get instant, geofenced, 1 hour windows of TOTP codes without ever sharing the seed.

TOTP RFC 6238GeofencingGroups + policiesMobile enclave keysEncrypted code chunks
NYC traders
SG traders
Castle app
Device enrollment · admin approved
Enrolled devices
CastleInstant access policy
Group membershipCHECKED
GeofenceENFORCED
Seed reconstructionIN ENCLAVE
Code encryptionPER DEVICE
DeribitOKXAny TOTP accountSingle owner accounts
1 hour access windowsEvery display loggedRevoke a device, not the seed

Dataflow

01

An operations lead enrolls the exchange TOTP seed by scanning its QR code in the Castle app. Castle splits the seed and stores the shares; the seed itself is never stored whole.

02

Two policies bind to the same seed: an NYC policy and a Singapore policy, each with its own requestor group, geofence, and 1 hour access window. No approvers; access is instant.

03

Traders install the Castle app and enroll phones backed by the device’s hardware enclave. An admin approves each first device.

04

A trader taps the account in the app. Castle checks group membership and that the device geolocates inside the permitted region.

05

On a valid request, the enclave reconstructs the seed, generates codes for the window, encrypts them to the trader’s device key, and destroys the seed material.

06

Every code display is logged with timestamp, user, device, and resource. When a trader departs, revoking their device ends access with no seed rotation and no password resets.

Components

Castle mobile app

Enrollment, requests, and code display. Codes decrypt locally, show with a live countdown, and purge on expiry.

Access policies

Per desk policies on one seed: requestor group, geofence, access window. Simple, auditable, scoped.

Nitro Enclave runtime

The only place the seed is ever whole. Generates RFC 6238 codes for the window, encrypts, and forgets.

Device keys

Each phone holds a hardware backed keypair; code chunks are encrypted to the requesting device only.

Audit log

Every enrollment, request, and display, visible to operations, security, and compliance.

Security considerations

The firm finally gets 2FA on exchange accounts without operational deadlock: codes are available to both desks around the clock, inside their own geofences.

Departure risk drops from rotate every password on every exchange to revoke one device.

The seed never exists outside the enclave after enrollment; a stolen phone yields only expired ciphertext.

Geofencing is policy enforced at request time, so a valid credential from the wrong region is still denied.

Deploy this architecture

Walk through the trust model, policy design, and rollout with our security and solutions team.

Learn moreAll architectures