The Critical Question: Who holds your backup keys, and what happens if you're incapacitated, coerced, or can't access your devices?
This guide helps you understand the trade-offs between "I hold 2 keys, vendor holds 1" (assisted multisig) versus true collaborative custody with documented recovery processes.
This guide helps you understand the trade-offs between "I hold 2 keys, vendor holds 1" (assisted multisig) versus true collaborative custody with documented recovery processes.
π Critical Concept: Email β Key Security
Your email is for identity and coordination β NOT for key security.
Many users mistakenly think losing email access = losing funds. This is not true for properly configured multisig.
π§ Email Controls
- Portal login access
- Recovery coordination
- Communication with service
- Account notifications
Keys Control
- Bitcoin access (spending)
- Transaction signing
- Actual custody of funds
- Recovery of wallet
π€ What happens if I lose access to my email?
Your funds remain safe on-chain.
To regain portal access:
- Contact service support with identity verification
- Or create new account with new email
- Re-import your wallet using your seed phrases/keys
β οΈ Best Practice:
- Use a long-term personal email (not work-based)
- Keep email credentials in your estate documents
- Document your security questions for heirs
Model Comparison: Side by Side
π΅ Assisted Multisig (2-of-3)
Setup: You hold 2 keys, vendor holds 1 backup key
β
Advantages:
- Easy to set up
- Vendor can't steal (needs your 2 keys)
- Lose 1 key? Vendor helps recover
- Lower cost
β Vulnerabilities:
- Single point of failure: YOU
- Illness/incapacity = no access
- Coercion ("sign with your 2 keys")
- Travel confiscation (if you carry both)
- No documented recovery for heirs
- Vendor key requires trusting their process
Best For:
- Individual holders
- Lower amounts (under $100K)
- Short-medium term (1-5 years)
- Low geopolitical risk
π’ Collaborative Custody
Setup: Quorum model with documented processes, third-party key holders, and recovery procedures
β
Advantages:
- No single point of failure
- Documented recovery processes
- Geographic distribution of keys
- Estate planning integration
- Coercion resistance (needs multiple parties)
- Professional processes & procedures
β οΈ Trade-offs:
- More complex to set up
- Higher costs (professional services)
- Requires coordination with third parties
- More documentation needed
Best For:
- Large holdings (over $100K)
- Multi-generational wealth
- Business/entity funds
- High geopolitical risk areas
- Elderly or health-compromised holders
Single Point of Failure Analysis
Scenario-Based Risk Assessment
How does each model handle real-world threats?
Scenario
Assisted Multisig
Collaborative Custody
π· Sudden Illness/Coma
β No access (you can't sign)
β
Documented process activates
π« Physical Coercion
β οΈ You hold both keys (vulnerable)
β
Multi-party approval needed
βοΈ Border Crossing
β οΈ Device confiscation = both keys exposed
β
Keys geographically distributed
π Divorce/Legal Dispute
β Single holder can be compelled
β
Legal firewall via third parties
π Estate Settlement
β Heirs must find vendor, prove identity
β
Pre-documented inheritance process
π₯ Device Compromise
β οΈ Both keys on your devices
β
Keys held by separate entities
Decision Quiz: Which Model Fits You?
Answer 5 Quick Questions
We'll recommend the best security model for your situation
1. How much Bitcoin are you securing?
2. What's your time horizon?
3. Do you travel internationally frequently?
4. Who should be able to access funds if you're incapacitated?
5. What's your technical comfort level?
Hardware Wallet Compatibility Matrix
Different hardware wallets have different seed formats and setup quirks. Here's what to expect with popular devices for multisig setups:
Trezor One
β Supported
Seed Format: 24 words
Setup Notes: Simple UI, confirm on screen
Tip: Verify all addresses on device screen before confirming
Trezor Safe 3 / Safe 5
β Supported
Seed Format: 20 or 24 words
Setup Notes: Choose 24 words manually for max security
β οΈ Quirk: Default is 20 words, but 24 is recommended for multisig compatibility
Ledger Nano X / S Plus
β Supported
Seed Format: 24 words
Setup Notes: Always verify addresses on device screen
Tip: Use Ledger Live for firmware updates, but coordinate wallets via Sparrow/Electrum for multisig
Coldcard Mk4 / Q1
β Supported
Seed Format: 24 words
Setup Notes: Air-gapped via microSD (PSBT workflow)
Pro Tip: Export wallet descriptor via microSD for Sparrow import
BitBox02
β Supported
Seed Format: 24 words
Setup Notes: Simple UI + optional microSD backup card
Tip: Touch sensors make verification intuitive
Jade / Passport
π‘ QR Workflow
Seed Format: 12 or 24 words
Setup Notes: QR code signing workflow (air-gapped)
Note: QR workflow reduces clipboard attack surface (no USB needed)
βοΈ Change Address Explained
Some hardware wallets call your change address a "second recipient." This is normal! When you send Bitcoin, any leftover amount returns to your wallet as "change"βit's not going to someone else, it's coming back to you.
Example:
You have: 0.01 BTC
You send: 0.003 BTC
Change back to you: 0.007 BTC (minus fees)
β Your device shows this as 2 outputs: one to recipient, one to yourself (change)
You have: 0.01 BTC
You send: 0.003 BTC
Change back to you: 0.007 BTC (minus fees)
β Your device shows this as 2 outputs: one to recipient, one to yourself (change)
Next Steps
If You Choose Assisted Multisig:
- Set up 2-of-3 with Unchained, Casa, or Nunchuk
- Store keys in separate locations (never together)
- Document your setup (encrypted, secure location)
- Test recovery process at least once
- Create a "letter to heirs" explaining how to contact vendor
If You Choose Collaborative Custody:
- Research providers: TBA by Choice, Onramp, or attorney-based solutions
- Understand quorum requirements (typically 2-of-3 or 3-of-5)
- Establish relationships with key holders (attorney, trusted advisor, family office)
- Document inheritance & incapacity procedures
- Schedule annual reviews of the setup