Wallet Design and Security | CBDC Architecture & Design | XRP Academy - XRP Academy
XRPAcademy
Course Progress0/20
3 free lessons remaining this month

Free preview access resets monthly

Upgrade for Unlimited
Skip to main content
beginner50 min

Wallet Design and Security

Learning Objectives

Describe different CBDC wallet architectures

Explain key management and security models for wallets

Compare custodial vs. non-custodial approaches

Identify accessibility and inclusion requirements

Analyze trade-offs in wallet design decisions

A CBDC is useless if people can't use it. The wallet—whether a mobile app, card, or other interface—is the human-facing layer of the system. It must be secure enough to protect value, simple enough for anyone to use, and compliant enough to satisfy regulators.

Unlike cryptocurrency wallets where users control private keys directly, CBDC wallets typically involve intermediaries. This changes the security model, the recovery options, and the user experience fundamentally.

CBDC WALLET TYPES

MOBILE WALLET (Software):
┌─────────────────────────────────────┐
│ SMARTPHONE │
│ │
│ ┌───────────────────────────────┐ │
│ │ CBDC WALLET APP │ │
│ │ │ │
│ │ - Balance display │ │
│ │ - Transaction interface │ │
│ │ - QR code generation │ │
│ │ - NFC payment │ │
│ │ │ │
│ └───────────────────────────────┘ │
│ │
│ Keys stored in device │
│ (Often in Secure Enclave) │
└─────────────────────────────────────┘

CARD-BASED WALLET:
┌─────────────────────────────────────┐
│ SMART CARD / NFC CARD │
│ │
│ - Secure Element stores value │
│ - Tap to pay │
│ - PIN protected │
│ - May work offline │
│ - No smartphone needed │
└─────────────────────────────────────┘

HARDWARE WALLET:
┌─────────────────────────────────────┐
│ DEDICATED DEVICE │
│ │
│ - Specialized security │
│ - Air-gapped possible │
│ - Higher security │
│ - Less convenient │
└─────────────────────────────────────┘

WEB WALLET:
┌─────────────────────────────────────┐
│ BROWSER-BASED │
│ │
│ - No app installation │
│ - Server-side processing │
│ - Cross-device access │
│ - Requires internet │
└─────────────────────────────────────┘

INTEGRATED BANK WALLET:
┌─────────────────────────────────────┐
│ EXISTING BANKING APP │
│ │
│ - CBDC as additional balance │
│ - Familiar interface │
│ - Leverages existing security │
│ - Bank manages everything │
└─────────────────────────────────────┘
```

CUSTODY MODELS

CUSTODIAL WALLET:
┌────────────────────────────────────────────────┐
│ Intermediary holds and manages CBDC │
│ │
│ User ──────▶ Intermediary ──────▶ Central │
│ (App) (Holds CBDC) Bank │
│ │
│ User has CLAIM on CBDC │
│ Intermediary has ACTUAL CBDC │
│ │
│ Security: Intermediary responsible │
│ Recovery: Through intermediary │
│ Control: User depends on intermediary │
└────────────────────────────────────────────────┘

Like: Bank account
User trusts intermediary
Most CBDC designs use this

NON-CUSTODIAL WALLET:
┌────────────────────────────────────────────────┐
│ User directly controls CBDC │
│ │
│ User ─────────────────────────▶ Central │
│ (Keys) Bank │
│ (Ledger) │
│ │
│ User has DIRECT control │
│ No intermediary holds CBDC │
│ │
│ Security: User responsible │
│ Recovery: User's keys only │
│ Control: User has full control │
└────────────────────────────────────────────────┘

Like: Cash or crypto wallet
User has full responsibility
Rare in CBDC designs

  • User controls keys
  • Intermediary provides services
  • Recovery mechanisms exist
  • Shared responsibility
ARCHITECTURE TRADE-OFFS

CUSTODIAL NON-CUSTODIAL
─────────────────────────────────────────────
User Responsibility Low High
Recovery Easy Difficult
Intermediary Risk Yes No
Censorship Risk Higher Lower
Regulatory Ease Yes Difficult
User Experience Simpler More complex
Privacy Lower Higher possible

  • Regulatory compliance easier
  • Recovery is essential for mass adoption
  • Central banks want intermediary layer
  • User responsibility concerns for mainstream
  • Offline small-value storage
  • Privacy-focused tiers
  • Advanced user options
KEY MANAGEMENT IN CBDC WALLETS

WHAT ARE KEYS?
Cryptographic credentials that authorize transactions
Private key = ability to spend
Key compromise = loss of funds

KEY STORAGE OPTIONS:

SERVER-SIDE (Custodial):
┌────────────────────────────────────────┐
│ Intermediary's secure infrastructure │
│ │
│ - HSMs (Hardware Security Modules) │
│ - Encrypted databases │
│ - Multi-signature schemes │
│ - User authenticates to access │
└────────────────────────────────────────┘

User doesn't have key
User has credentials to authorize

DEVICE-SIDE (User-held):
┌────────────────────────────────────────┐
│ User's device │
│ │
│ Smartphone options: │
│ - Secure Enclave (iOS) │
│ - TEE (Android) │
│ - Software encryption │
│ │
│ Key never leaves device │
└────────────────────────────────────────┘

User controls key
Varies in security level

SPLIT KEY:
┌────────────────────────────────────────┐
│ Key split between parties │
│ │
│ - User holds part │
│ - Intermediary holds part │
│ - Both needed to transact │
│ - Threshold signatures │
└────────────────────────────────────────┘

Compromise of one party insufficient
Recovery possible if one lost
```

USER AUTHENTICATION METHODS
  • PIN (4-6 digits)
  • Password
  • Pattern
  • Device itself
  • SIM card
  • Hardware token
  • Smart card
  • Fingerprint
  • Face recognition
  • Voice
  • Iris

MULTI-FACTOR APPROACH:
┌────────────────────────────────────────┐
│ Small transactions: Single factor │
│ - Biometric unlock │
│ │
│ Medium transactions: Two factors │
│ - Biometric + PIN │
│ │
│ Large transactions: Strong auth │
│ - Biometric + PIN + Confirmation │
│ │
│ High risk: Step-up authentication │
│ - Additional verification │
└────────────────────────────────────────┘

  • Low-value: Minimal friction
  • High-value: Strong authentication
  • Unusual activity: Extra verification
  • New device: Re-verification
SECURE ELEMENT TECHNOLOGY

WHAT IS A SECURE ELEMENT?
Tamper-resistant hardware for sensitive operations
Isolated from main processor
Protected key storage

TYPES:

  • Chip in device

  • iPhone Secure Enclave

  • Permanent, high security

  • Security on SIM card

  • Carrier-controlled

  • Portable between devices

  • Isolated area of main processor

  • Android TrustZone

  • Software-isolated, less hardware protection

  • Separate physical device

  • Highest security

  • Less convenient

FOR CBDC:
Most rely on device secure elements
Not as secure as dedicated hardware
Balance between security and accessibility


---

ACCESSIBILITY FOR ALL USERS

DIGITAL LITERACY RANGE:
┌────────────────────────────────────────────────┐
│ Tech-savvy ◄──────────────────► Non-technical │
│ │
│ - Multiple apps - First smartphone │
│ - Crypto experience - Basic phone skills │
│ - Feature seeking - Need simplicity │
└────────────────────────────────────────────────┘

DEVICE RANGE:
┌────────────────────────────────────────────────┐
│ Latest smartphone ◄───────────► Basic phone │
│ │
│ - iOS/Android - Feature phone │
│ - High performance - USSD/SMS only │
│ - Rich UI possible - Text interface │
└────────────────────────────────────────────────┘

  • Visual impairments: Screen readers, voice
  • Motor impairments: Alternative inputs
  • Cognitive: Simple interfaces
  • Age-related: Larger text, clear design
  • Works on 5+ year old devices
  • Low data usage
  • Works on slow connections
  • Simple onboarding
  • Local language support
  • Offline capability (some functions)
USER ONBOARDING PROCESS

MINIMAL FRICTION PATH:
┌─────────────────────────────────────────┐
│ 1. Download app │
│ └─► App store / direct download │
│ │
│ 2. Basic registration │
│ └─► Phone number verification │
│ │
│ 3. Create PIN/biometric │
│ └─► Security setup │
│ │
│ 4. Ready for low-value use │
│ └─► Tier 1 wallet active │
└─────────────────────────────────────────┘

Time: 2-5 minutes
Barrier: Minimal
Functionality: Limited (low value)

FULL KYC PATH:
┌─────────────────────────────────────────┐
│ 1-4. Basic setup (as above) │
│ │
│ 5. Identity verification │
│ └─► ID document scan │
│ └─► Selfie/liveness check │
│ └─► Address verification │
│ │
│ 6. Verification processing │
│ └─► Minutes to days │
│ │
│ 7. Full wallet active │
│ └─► All limits/features │
└─────────────────────────────────────────┘

Time: 10-30 minutes (plus processing)
Barrier: Higher (docs required)
Functionality: Full
```

ESSENTIAL WALLET FEATURES
  • Current balance (prominent)
  • Transaction history
  • Search/filter transactions
  • Export capability
  • Enter amount
  • Select/enter recipient
  • Review and confirm
  • Confirmation receipt
  • Display QR code
  • Share payment link
  • Request specific amount
  • Scan merchant QR
  • NFC tap
  • Enter amount if needed
  • Receipt
  • Security settings
  • Notification preferences
  • Limits management
  • Help/support
  • Scheduled payments
  • Split payments
  • Merchant features
  • Analytics
WALLET RECOVERY SCENARIOS
  • Log in on new device
  • Verify identity
  • Full recovery
  • Need backup seed/key
  • No backup = permanent loss
  • Like losing cash
  • Identity verification
  • May require additional steps
  • Recovery possible with proof
  • Password reset process
  • Identity verification
  • Account recovered
  • Backup phrase required
  • No phrase = no recovery
  • User responsibility
  • Contact support
  • Freeze account
  • Investigation possible
  • May recover funds
  • If keys compromised, funds gone
  • No recourse
  • User must secure keys

FOR CBDC ADOPTION:
Recovery is essential
Pure non-custodial too risky for mass market
Custodial or hybrid necessary
```

WALLET CONTINUITY SCENARIOS

INTERMEDIARY FAILURE:
What if your CBDC wallet provider goes bankrupt?

  • CBDC is central bank liability
  • Not an asset of the intermediary
  • Should be segregated
  • Transfer to another provider
  1. Intermediary failure recognized
  2. User notified
  3. CBDC frozen temporarily
  4. Transfer to new intermediary
  5. User re-onboards with new provider
  6. Access restored

DIFFERENT FROM BANK FAILURE:
Bank deposits: Bank's liability (at risk)
CBDC through bank: Central bank's liability (safe)

This is a key CBDC advantage

  • Intermediary system down: Use different intermediary
  • Central bank system down: All CBDC stops
  • Network outage: Offline capability helps
CBDC WALLET IMPLEMENTATIONS
  • Mobile app (custodial)
  • Authorized financial institutions provide
  • Tiered based on KYC
  • QR code payments
  • Speed Wallet (bank-integrated)
  • eNaira app (CBN)
  • Tiered KYC levels
  • USSD for feature phones
  • Multiple bank apps
  • Central e-CNY app available
  • Hardware wallet options
  • SIM-based wallet testing
  • Most advanced variety
  • Through bank/PSP apps
  • Basic central bank app possible
  • Card-based options
  • Offline capability planned
HARDWARE WALLET FOR CBDC
  • Offline capability
  • No smartphone needed
  • Higher security
  • Physical form factor familiar

FORMS:

  • Credit card sized

  • NFC enabled

  • Secure element built-in

  • Display possible (e-ink)

  • Battery or passive

  • Ring, bracelet, watch

  • NFC payment

  • Convenience focused

  • Limited display

  • Purpose-built CBDC device

  • Full functionality

  • Screen and buttons

  • Highest security

  • Most expensive

  • Card-based wallets tested

  • Wristband versions

  • For those without smartphones

  • Offline enabled

Custodial wallets dominate CBDC designs—recovery and compliance require intermediaries.

Mobile apps are primary interface—smartphone prevalence makes this practical.

Tiered security matches transaction value—risk-based authentication is standard.

⚠️ Optimal balance of security and usability—still being refined.

⚠️ Hardware wallet adoption—unclear if mass market will use them.

⚠️ Non-smartphone solutions effectiveness—USSD and cards need more testing.

📌 Assuming smartphone-first is inclusive—excludes significant populations.

📌 Over-complicating security for low values—friction kills adoption.

📌 Under-investing in recovery—users will lose access; process must be smooth.

CBDC wallet design is a balancing act: secure enough to protect value, simple enough for everyone, compliant enough for regulators. Custodial models dominate because recovery is essential for mainstream adoption. The best designs make security invisible for small transactions while protecting users from their own mistakes.

Assignment: Design wallet specifications for a hypothetical CBDC, including architecture, security model, user flows, and accessibility features.

Time Investment: 3-4 hours

End of Lesson 12

Course 58: CBDC Architecture & Design
Lesson 12 of 20

Key Takeaways

1

Custodial wallets are standard for CBDCs

: Intermediaries manage security and enable recovery—essential for mainstream adoption.

2

Security must scale with value

: Low-value transactions should be frictionless; high-value needs strong authentication.

3

Accessibility requires multiple approaches

: Mobile apps, USSD, cards, and hardware wallets serve different populations.

4

Recovery differentiates CBDC from crypto

: Users expect to recover lost access—pure non-custodial is unsuitable for mass adoption.

5

User experience determines adoption

: The best security is useless if people won't use the wallet. ---