Castle

Reference architectures

5 patterns for policy controlled, shared MFA: trading desk access, the two person rule, split seed custody, auditor ready logging, and device lifecycle. Each shows the dataflow, components, and security considerations.

SaaS

Geofenced exchange access for trading desks

Two desks, one exchange account. Instant, geofenced, 1 hour windows of TOTP codes without ever sharing the seed.

TOTP RFC 6238GeofencingGroups + policiesCode chunks
SaaS

Two person rule for root accounts

AWS root and DNS accounts get approval gated MFA with no self approval and a clean trail for the auditors.

Approval thresholdPush notificationsAccess windowsAudit log
SaaS

Auditor ready access logging

Every enrollment, request, approval, and code display in an immutable, append only log with device and geolocation.

Append only logGeolocationEvent APISOC 2 controls
Hybrid

Split seed custody with enclave code generation

Seeds split between customer and cloud shares. Only an attested enclave reconstructs, generates codes, and encrypts them per device.

Split key sharesNitro EnclaveECIES + AEADS3 expiry
Hybrid

Device lifecycle without seed rotation

Peer approved enrollment, per device keypairs, and one tap revocation. The seed and the policies never change.

Device keypairsPeer approvalKey wrappingRevocation