5 patterns for policy controlled, shared MFA: trading desk access, the two person rule, split seed custody, auditor ready logging, and device lifecycle. Each shows the dataflow, components, and security considerations.
Two desks, one exchange account. Instant, geofenced, 1 hour windows of TOTP codes without ever sharing the seed.
AWS root and DNS accounts get approval gated MFA with no self approval and a clean trail for the auditors.
Every enrollment, request, approval, and code display in an immutable, append only log with device and geolocation.
Seeds split between customer and cloud shares. Only an attested enclave reconstructs, generates codes, and encrypts them per device.
Peer approved enrollment, per device keypairs, and one tap revocation. The seed and the policies never change.