My most elegant security system was for a crypto platform I wrote in 2018. The owners wanted Ethereum's ECDSA since it was already part of our platform. We delegated encryption key management to customers which simplified the system quite a bit, our system stored only public keys. The signed JSON message is part of the incoming REST header. ECDSA extracts the public key from the message and the app associates it to a user id.

A nice feature is immutability of the message, so we can legally guarantee timestamps, reference ids, etc.

It's essentially a passwordless system and requires a client SDK to encrypt the signed message with the client's private key. But in a commercial system, you want to avoid integrating and managing each client's security anyway.

For physical access by software developers, administrators, etc, we used physical Yubikey USB keys, FIPS 140-2 standard.

The Ethereum master account keys were stored in AWS Secrets Manager with a physical backup copy stored in a off-site vault. In 2018, multi-signature options were just coming out so we didn't use them.

AD1: Infrastructure with Cloud Formation
AD2: Messaging I/O
AD3: Abstract Factory
AD4: Database
AD5: Application Layer - Aspects
AD5: Application Layer - Canonical
AD5: Application Layer - Data Mapping
AD5: Application Layer - Protocol Adapter
AD6: Security