What, if anything, is a wallet?

It is surprisingly hard to define just what a “wallet” is. Of course, I am not talking about physical wallets: those small cases that we use to carry our banknotes, credit cards, and identity documents. Instead, I am talking about the now-ubiquitous digital wallets that can come in many different form factors, such as hardware devices or smartphone apps.

What’s in your pocket?

But maybe the analogy still works? Broadly speaking, the wallet in your pocket may contain two types of items: items that I keep – let us call them “credentials” – and items that I hand out or receive – how about “vouchers”? –. Credentials are used for authentication purposes: my identity document is a government-issued proof of my name, date of birth, and other data. Conversely, vouchers carry some type of (monetary) value that I can transfer to other people, thereby constituting a payment.

We can now try to classify our physical wallet items according to this dichotomy between credential and voucher:

• Bank notes and coins are clearly vouchers. There is no Personally Identifying Information (PII) attached to them. They carry inherent value that is clearly marked as face value.
• My passport is clearly a credential. It has no inherent value, but is presented to someone else who will determine, for example, if I am old enough to rent a car or a hotel room.
• The same applies to my health insurance card, my German rail card, and my German Alpine Club membership card. Even though they are issued by non-government bodies, they serve some type of identification purpose.
• A gift card is a voucher, since it has a face value and can be used for purchases at a specific store. If I am buying a smaller amount, some stores will return the difference as another voucher with a lower face value. Other types of gift cards behave more like debit cards (see below).
• Debit cards are credentials, but perhaps less clearly. While they are used for payments – just like bank notes and coins – they have no inherent value. The money is drawn from my bank account, and the card merely identifies me as having access rights to that account. Therefore, debit cards are not vouchers.
• Finally, credit cards are where it gets interesting. Modern credit cards are both credentials and vouchers. Each card carries some vouchers that are generated by the card’s issuer (my bank) that represent a dynamic amount of money. In a contactless payment, the card transmits one of those vouchers to the terminal. Notably, each voucher can only be used once! The acquirer bank (their bank) can then redeem a voucher into their bank account. Yet, the credential aspect is still present, because vouchers have a limit and must be replenished every so often.

What have we learned? A credential represents an aspect of who you are, whereas a voucher represents an aspect of what you possess. Therefore, a credential can often be replaced without losing some kind of value: if your passport gets stolen, you can get a new one. Conversely, a voucher is handed over in an exchange – a transaction – and replacing it when stolen is not possible.

In practice, as we have seen with credit cards, the distinction is not clear-cut. For example, what about train tickets? You merely show them in an inspection, but if they are lost, you have to buy another one. Unless they are personalized rail cards with your picture in it. But for now, the distinction between credential and voucher will serve as a useful analogy, guiding us from the physical into the digital world. As an interesting thought experiment, how would you classify your signature? Is it a voucher or a credential?

On cloning and validation

There is one more ingredient to the items in our physical wallet: their inability to be easily cloned. Take for example bank notes. As physical objects, they cannot be in two places at the same time. Therefore, bank notes have a very nice property: I cannot use the same bank note to pay two people (at least not without the first person handing it back to me, and then paying the second person). In mathematical terms, this means their use is linear. In a payment transaction with bank notes, they disappear from my wallet and immediately reappear in someone else’s wallet. It is impossible for the bank note to be here and there. Without jumping too far ahead, in the digital world, this is known as prevention of double spending.

Inability to be cloned is key for the authenticity of both vouchers and credentials. For example, if a thief could read out the credential data from my debit card and create a copy of it, neither the merchant nor the acquiring bank would have any way to know which one is the legitimate card. This is why often a second factor is required, such as a PIN code. Or in rare occasions, a government photo ID, which again must be resistant to cloning.

Yet, even though credentials should not be cloneable, it is possible to use those multiple times. Therefore, we can conclude that the purpose of credentials is to prove someone’s identity, instead of representing the identity itself. Vouchers, on the other hand, typically inherently represent some value, which includes data elements such as a currency and a face value.

Nonetheless, inability to clone does not make a safe credential or voucher. A counterfeiter could try to create a bank note themselves, or to produce a forged passport. This is where the validation aspect comes into play. The issuer of a credential or voucher must empower users to detect counterfeits. In the case of bank notes, central banks expend a lot of effort to security features, such as the look & feel of the substrate, ultimately making copying infeasible. Broken down to its basics, this establishes a trust relationship between issuer and user. Since it would be impossible to have the central bank or a third party observe every single cash transaction, this trust must originate from the bank note itself.

The story is similar for credentials, such as government ID. But how do you feel about another common type of credential: the passwords you are using every day to log in to various services? There, the relationship between issuer and validator are reversed. You choose the password yourself and the service provider validates it. The trust is constructed by two promises: you promise to keep your password a secret, and the provider promises to not even store it in the first place, so that nobody can steal it.

This concept of secrets sets the stage for the sea change when moving from the physical into the digital world. Data, unlike objects, can be easily copied. Copying data is what makes the internet great. We need an entirely new class of security features for digital credentials and vouchers, which may not be visible to humans.

Digital signatures

As we are getting closer to the essence of digital wallets, we therefore need to discuss a non-physical way of validation. Enter digital signatures. They are ubiquitous in computing, and also no stranger in wallets.

The core idea of digital signatures is explained quite easily. To produce a digital signature, you need a document that is supposed to be signed, and a cryptographic key that is supposed to sign. The document can be a single number (e.g., an account number), or some text, or contain arbitrarily much information: just like with physical signatures on paper. The signature is produced by applying a mathematical routine on the document and the key, producing a string of bytes (typically much less than one kilobyte’s worth, no matter how big the document). Common signature schemes include RSA and ECDSA.

But how is the signature validated? We use another mathematical routine. Now, we need three inputs: the document, the signature, and another cryptographic key. Validation entails some more cryptographic computation and yields valid or invalid as answer. To distinguish the key needed in producing the signature and validating the signature, we call them private and public key. The public key can be derived from the private key and shared publicly, whereas the private key must be kept secret.

Therefore, a valid signature proves that its signer – at the time of signing – had the knowledge of the private key associated with the public key used for validation and acknowledges the contents of the document. Both parties can trust that they know the same document, since the validation logic would fail in case the document has been tampered with during communication. This is also why digital signatures can be transmitted over unprotected channels, because eavesdroppers have no access to the private key used for creating the signature.

To make the entire process more secure, typically, the validator will ask the signer to include contextual information. For example: “Today is Tuesday the 25th of July, the time is 13:45 CEST, and I intend to purchase ten apple for the amount of 5 €.” This is good cryptographic practice for many reasons, such as clearly defining the scope of the agreement, but also to prevent so-called replay attacks. In a replay attack, eavesdroppers would store signatures and reuse them at a later point; similar to double spending, pretending to execute the same transaction multiple times.

How is that used in practice? For example, credit cards employ digital signatures to prove their authenticity to the merchant’s terminal. More specifically, each payment card has a unique, individual private key “baked” into the hardware, and the issuer bank keeps a record of the corresponding public keys. (In reality, the process is a bit more complicated, involving multiple layers of keys, but that is a story for another time.) Now, the job of the chip on the card is to produce signatures and resist any attacker’s attempt to extract the private key itself.

In terms of the relationship between customer and merchant, instead of placing the trust in the security features of bank notes, the trust must now be placed into the cards and terminals. But observe how there is actually a fairly close parallel: trust is grounded in physical features; be it paper or chips.

What about digital wallets?

Now, we can finally define what a digital wallet is. It is merely a container of secret keys that may be used as vouchers or credentials. Often, those represent or enable access to money. They can come in different forms, such as smartphone apps or physical devices, employ countermeasures against tampering and cloning (often implemented as Secure Elements), and typically use digital signature mechanisms to prove possession of the secret keys. Perhaps most importantly, digital wallets must have some form of user interface that allows holders to carry out transactions, such as confirming their identity, asking for a PIN code, or initiating a payment.

While this definition seems simple, there are truly mind-bogglingly many different interpretations of this concept. Just to give you a general idea of the broad range of wallet embodiments: Google Pay and Apple Pay leverage smartphones’ built-in security chips and NFC interfaces to act like credit cards. They can only be used on the device that they have been set up on. But a cryptocurrency wallet, e.g., for Bitcoin, can be as simple as a piece of paper with a seed phrase on it, allowing anyone that can get their hands on the code to instantly get access to the Bitcoin holdings, no matter the device, via a pre-defined cryptographic algorithm. To protect one’s holdings, one would need to keep the paper in a safe deposit box. Something entirely else is PayPal, which allows you to keep an online balance for purchases and other transfers. This involves no cryptography on the customer’s end at all; merely logging in with username and password. All these examples are called wallets.

Yet, some of the examples are closer to be a “wallet” than others. In the case of Google Pay and Apple Pay, as well as the paper cryptocurrency wallet, they are very clearly storage containers of digital credentials. But PayPal is the odd one out: clearly some form of money is stored – evoking the physical notion of a “wallet” – but the underlying technical mechanisms are different. In their defence, one could argue that the PayPal app installed on the smartphone stores the credentials to access the balance and make transactions. However, with the same line of reasoning, your mail client and your browser would be wallets.

This only serves to illustrate the lack of clarity that is often surrounding wallets. In particular, wallets are not easily interoperable. Wallets designed to keep government-issued identity information cannot just keep credit card information also. Of course, a wallet app may support several types of secrets, or may even be extensible, but the general principle stays the same: each use case will likely require custom programming.

There are many other aspects of wallets that we could discuss (for example issuance, lifecycle management, loss recovery, certificate hierarchies, …), but again this would be a story for another time. Same applies to tokens, which are often mentioned in the same breath as wallets.

Where are the secrets?

As we saw, the embodiment of the wallet and the information contained therein may differ wildly, depending on the underlying technology and envisioned use cases. There is another important aspect that we have not yet touched upon: the concept of custody. (This has nothing to do with getting arrested.)

In finance, a custodian is an institution that keeps funds or other property on your behalf, with the intent to apply additional protection. Keeping commodities such as gold (an example of a voucher, by the way!) is not only costly but also risky: you need a lot of space and it could get stolen (or lost in a natural disaster). A custodian bank would offer to keep your assets safe for you – putting them into a fireproof vault, plus a hefty insurance policy – for a fee. Yet, your assets still belong to you: if the bank goes bust, they are not part of their insolvency estate. This is a typical arrangement for example for brokerage accounts, but not for deposit accounts.

Conversely, self-custody would refer to an individual holding their own assets and bearing their own risk. This is typical for smaller cash amounts. Payment cards are once again a mixture: while the account balance associated to a debit card does not qualify as self-custody, the PIN code giving access to it is.

There is a simple rule of thumb to determine whether an asset is in self-custody or organisational custody: Do I have to hope that I will not lose it or that they will not lose it?

How is this relevant to digital wallets? Because this distinction also applies. Especially with cryptocurrencies, the traditional way of holding is self-custody, i.e., keeping the cryptographic keys on your own hardware or software. But since many investors are (technological) laypeople, cryptocurrency exchanges offer custodial wallets to keep their keys safe. According to their own information, Binance was holding at least $63 billion worth in custody early 2023.

The value proposition for customers is similar as the value proposition of credit cards over cash: they are effectively trading vouchers (cannot be replaced when lost) for credentials (can be replaced when lost). This may be a legitimate consideration for large amounts. Ideally, a wallet should make the distinction somewhat transparent, allowing customers easy access to both types of holdings. The convenience of custodial wallets notwithstanding, they cannot be used in offline scenarios, since there is no way for a counterparty to validate without online connectivity.

When Johnny can’t encrypt

In their seminal paper entitled “Why Johnny Can’t Encrypt”, Alma Whitten and Doug Tygar have investigated usability of a popular encryption tool. There, they write:

“User errors cause or contribute to most computer security failures, yet user interfaces for security still tend to be clumsy, confusing, or near nonexistent.”

Eighteen years after publication, this still rings true, especially for the emerging field of digital wallets. Laypeople – “Johnny” – may be overwhelmed with the technical details, including the distinction between credential and voucher.

In the context of digital currency, we should heed that warning and try to follow tried-and-tested approaches that users are familiar with. They know that bank notes can be used for payments offline. They know that credit cards can be used for payments online. When building wallet applications for digital currencies, we can combine both – by employing strong hardware security – and we can attempt to explain it for example by the notion of “downloading” your money.

In my opinion, this is a necessary prerequisite for user adoption. Cryptocurrency advocates often consider only self-custody to be a valid approach, yet this opens up enormous opportunity for fraud. It also has a regulatory downside: self-custody of vouchers with arbitrary face value would stifle any attempt to fight money laundering. This would be the digital equivalent of letting any person hoard large values of cash, which is difficult just to its sheer size, whereas a single cryptographic key could represent any amount of money.

Fortunately, there is a way out. Self-custody on user devices for small amounts and offline capability, and bank custody for everything else. Both would come with hardware protection to ensure a high degree of security. This works especially well in a digital currency system based on vouchers, instead of identities, because vouchers also protect privacy, since they contain no personal information. It is technology’s job to provide a good user experience for that.

Thanks to my colleague Markus Bohn for his comments on early drafts of this article. Read on: The second part about tokens is available here.