Castle

Where Castle fits in your identity stack

Castle is privileged access management for the accounts your IdP cannot reach, enforced through MFA workflows. It binds to Okta and Microsoft Entra / Azure AD and runs alongside Duo, not instead of it.

01 / The category

Three tools, three different jobs

Every enterprise has accounts built for exactly 1 user: AWS root, exchange logins, DNS registrars, social accounts. Your IdP cannot federate them and workforce MFA cannot share them. That is the gap Castle governs.

PAM through MFA workflows

Castle

Policy controlled, just in time access to shared TOTP credentials for single owner accounts. Quorum approvals, geofenced windows, zero knowledge seed custody, and a display level audit trail, all bound to your IdP.

Workforce MFA

Duo

Authenticates your people into apps built for teams: push verification, WebAuthn, device trust, adaptive login policies. Castle assumes you keep it. The 2 share your IdP and do different jobs.

Personal authenticator

Authy

Stores an individual’s own TOTP tokens with cloud backup and multi device sync. No policies, no approvals, no audit trail, no enterprise controls. Desktop app discontinued in 2024.

02 / Side by side

Capability comparison

Where the products overlap and where they were never designed to compete.

Capability
Castle
Duo*
Authy*
Shared access to single owner accounts
YES
NO
NO
Quorum approvals, no self approval
YES
NO
NO
Just in time TOTP enrollment and access
YES
NO
NO
Geofenced, time bound access windows
YES
ADAPTIVE LOGIN ONLY
NO
Enterprise IdP integration (Okta, Microsoft Entra / Azure AD)
YES
YES
NO
New device onboarding
SSO LOGIN · NO RE ENROLLMENT
PER APP RE ENROLLMENT
CLOUD BACKUP RESTORE
Zero knowledge seed custody
SPLIT KEY + ENCLAVE
VENDOR MANAGED
PASSWORD ENCRYPTED BACKUP
Display level audit log + SIEM export
YES
AUTH EVENT LOGS
NO
Per user push and WebAuthn
KEEP YOUR MFA
YES
NO
Desktop access
MOBILE ONLY BY DESIGN
YES
DISCONTINUED 2024

* Statements regarding third party products are based solely on publicly available information as of the date of publication, are provided for general comparison only, and are not warranted for accuracy or completeness. Product capabilities may change without notice. All trademarks are the property of their respective owners. No affiliation or endorsement is implied.

03 / Common questions

What security teams ask first

We already run Duo.

Keep it. Duo authenticates your workforce into apps built for teams. Castle governs the accounts built for exactly 1 user, where the only credential is a shared login and a TOTP seed. The 2 do different jobs and share your IdP.

Our password manager already shares 2FA codes.

A password manager shares the seed itself. When someone leaves, the seed leaves with them and every account needs rotation. Castle shares access, never the seed: offboarding is 1 revocation, and every code display is logged with user, device, and location.

Is Castle replacing our IdP?

No. Castle binds to Okta or Microsoft Entra / Azure AD. Members sign in with enterprise SSO and receive exactly the seeds they are entitled to, on any approved device, with no per-seed re-enrollment. Castle consumes identities; it never issues them.

Scope, by design

What Castle chooses not to do

Per-user push MFA and WebAuthn for workforce apps stay with Duo or your IdP. Castle does not compete for that job.

Codes display on enrolled mobile devices only. Hardware backed device keys are part of the trust model, not a missing feature.

Castle does not issue or federate identities. It binds to the identity infrastructure you already run.

See Castle against your account list

Bring the accounts your IdP cannot reach. We will map them to policies in a working session.

Learn more