I was working with an IoT company who proudly showed us, their biggest customer, how the signing keys to particular actions that could impact many, many people were held on a rather trick little Spyrus USB stick. Which they displayed. In the pocket of a person that had the requisite passphrases to access it all on her own.
I asked what would prevent the person from hopping a plane out of nearby SFO and having a pleasant CCP-funded retirement and they turned all sorts of colors. They invested in a proper storage mechanism (and key management processes) after that.
I was working with an IoT company who proudly showed us, their biggest customer, how the signing keys to particular actions that could impact many, many people were held on a rather trick little Spyrus USB stick. Which they displayed. In the pocket of a person that had the requisite passphrases to access it all on her own.
I asked what would prevent the person from hopping a plane out of nearby SFO and having a pleasant CCP-funded retirement and they turned all sorts of colors. They invested in a proper storage mechanism (and key management processes) after that.