Version 3.0 - Production Ready

Guardian Service Architecture
with KHO Authentication

Core Guardian service providing TOTP verification and cryptographic signatures for 2-of-2 multisig security.
Plus advanced recovery methods and governance features for enterprise deployment.

2FA Verification

Validates TOTP codes against wallet-specific secrets

Cosignature Service

Provides cryptographic signatures for dual-authorization

Security Isolation

Per-wallet guardian keys prevent system-wide attacks

Advanced Recovery & Governance

Additional enterprise features for business continuity and institutional deployment beyond core security.

KHO Recovery Method™

Three-factor authentication combining KNOW (password), HAVE (2FA device), and OWN (wallet keys) for enhanced recovery options.

Break-Glass Recovery

Emergency recovery system for when Guardian service becomes permanently unavailable with specialized TOTP validation.

V2 Governance

Advanced governance features including emergency guardian rotation with timelock protection and enhanced security controls.

Guardian Architecture

Containerized service on AWS ECS Fargate with auto-scaling, health checks, and comprehensive monitoring.

Service Components

Application Load Balancer
ECS Fargate Containers
AWS KMS for Key Management
DynamoDB for Wallet Records
CloudWatch Monitoring
WAF & Rate Limiting

Security Controls

No TOTP codes on-chain
Wallet-specific guardian keys
Replay-resistant signatures
Policy engine with rate limits
TLS and strict origin validation
Encrypted storage at rest

Guardian Features

TOTP Verification

Validates 6-digit TOTP codes against wallet-specific secrets without ever placing authentication data on-chain.

Cryptographic Signatures

Produces Ed25519 signatures over user-prepared transactions only after successful 2FA verification and policy checks.

Per-Wallet Isolation

Each wallet associated with distinct guardian public key used solely for that wallet's authorization path.

Hardware-Backed Security

Guardian keys and TOTP secrets protected by managed KMS with audit trails and least-privilege access.

Real-Time Monitoring

CloudWatch metrics and logs with alarms for elevated error rates, latency, and throttling events.

Business Continuity

Guardian rotation, recovery codes, and maintenance windows ensure service availability and reliability.

Guardian Implementations

Multiple deployment options and security models to meet different requirements and use cases.

AWS Cloud Implementation

Production-ready deployment on AWS infrastructure with auto-scaling and comprehensive monitoring.

  • ECS Fargate containers with auto-scaling
  • Application Load Balancer for traffic distribution
  • AWS KMS for key management and encryption
  • DynamoDB for wallet records and TOTP secrets
  • CloudWatch for monitoring and alerting
  • WAF for DDoS protection and rate limiting

Multi-Region Deployment

Geographically distributed Guardian services for high availability and disaster recovery.

  • Active-active deployment across regions
  • Global load balancing with Route 53
  • Cross-region data replication
  • Automatic failover capabilities
  • Regional compliance and data sovereignty
  • Reduced latency for global users

On-Premises Implementation

Self-hosted Guardian service for organizations requiring complete control over infrastructure.

  • Docker containerized deployment
  • Kubernetes orchestration and scaling
  • Hardware Security Modules (HSM) integration
  • Private network isolation
  • Custom monitoring and logging
  • Compliance with internal security policies

Hybrid Cloud Model

Combination of cloud and on-premises components for flexible deployment options.

  • Cloud-based Guardian service with on-premises validation
  • Hybrid key management with cloud KMS and local HSM
  • Flexible data storage options
  • Custom integration capabilities
  • Regulatory compliance support
  • Cost optimization through workload distribution

Security Models

Different architectural approaches for Guardian service deployment and trust distribution.

Centralized Guardian Service

Single Guardian service managing all wallet verifications with strict access controls.

Advantages

  • Simplified management
  • Consistent security policies
  • Easier monitoring

Challenges

  • Single point of failure
  • Centralized trust
  • Scalability challenges

Distributed Guardian Network

Multiple Guardian nodes working together with consensus mechanisms for verification.

Advantages

  • High availability
  • Reduced trust requirements
  • Better scalability

Challenges

  • Increased complexity
  • Consensus overhead
  • Coordination challenges

Federated Guardian Model

Multiple independent Guardian services that can verify each other's wallets.

Advantages

  • Cross-organization trust
  • Redundancy
  • Flexible governance

Challenges

  • Inter-service coordination
  • Complex key management
  • Trust establishment

Future Implementations

Guardian as a standalone service opens up new revenue streams and partnerships beyond just wallet security.

SaaS 2FA/Cosigning API

Per-request billing model

Package the Guardian service as a security microservice any wallet or dApp can call.

  • Pay-per-request or per-active-wallet billing
  • Off-chain 2FA and replay protection
  • Co-signing services for third-party wallets
  • RESTful API with comprehensive documentation
  • Rate limiting and usage analytics
  • Multi-tenant architecture with isolation

White-Label SDK

Licensing and support fees

Drop-in JavaScript and mobile SDKs for seamless integration with custom branding.

  • JavaScript SDK for web applications
  • Mobile SDKs for iOS and Android
  • Custom branding and theming options
  • Challenge/response and TOTP handling
  • Guardian key fetching and management
  • Comprehensive documentation and examples

Multi-Chain & Multi-App Support

Chain-specific pricing tiers

Extend beyond Solana to support Ethereum, Near, Avalanche and various transaction types.

  • Ethereum, Near, Avalanche PDA support
  • NFT mints and governance votes
  • Stablecoin transfer protection
  • High-value transaction security
  • Cross-chain guardian key management
  • Unified API across all supported chains

Enterprise Dashboard & Analytics

Enterprise subscription plans

Comprehensive dashboard with usage metrics, error rates, and compliance features.

  • Real-time usage metrics and analytics
  • Error rate monitoring and alerting
  • Geographic breakdown and SLA health
  • Per-wallet quotas and custom rate limits
  • Audit logs for compliance requirements
  • Enterprise-grade support and SLAs

Non-Crypto Workloads

Industry-specific pricing

Generic off-chain 2FA service for SSH logins, IoT devices, and API key management.

  • Secure SSH login authentication
  • IoT device provisioning and management
  • API key rotation and security
  • HSM lite for secure key management
  • Hardware-backed security without infrastructure
  • Compliance with industry standards

Exchange & Custodian Integration

Transaction-based fees at scale

Plugin for exchanges and custody platforms to add 2FA-backed multisig for large withdrawals.

  • CEX/DEX integration capabilities
  • Large withdrawal protection
  • Per-transaction or per-user fee model
  • Compliance with financial regulations
  • Audit trails for regulatory requirements
  • High-volume transaction processing

Ready to Experience True 2FA?

Join the future of blockchain security with Vokter Wallet and Guardian Service.