Well, one way to do second-level key security is to have the program collect keys and then forget them after it uses them. That way rather than having one master key in permanent storage where it can be compromised we have no access to the account except during the extremely-brief period when it has enough keys to do a sign.