Bitcoin multisig: distributed custody

As long as a wallet×WalletSoftware or device that manages your Bitcoin keys and lets you sign transactions. A wallet does not really « hold » your bitcoins, it holds the keys that prove you own them.See in the lexicon → relies on a single seed phrase×Seed phraseSequence of 12 or 24 words (usually in English) that encodes your master key. Universal wallet backup : with these words, you can restore your funds on any compatible software.See in the lexicon →, it lives with a structural weakness: loss, theft or disclosure of that single seed empties the wallet with no recourse. A steel plate in a bank safe improves physical resilience, a BIP39×BIP39Standard defining the list of 2,048 words used for seed phrases. Lets every wallet brand generate seeds that are compatible with each other.See in the lexicon → passphrase×PassphraseExtra word or phrase you add to your seed phrase to create a hidden wallet. Optional security layer, independent of the seed.See in the lexicon → ("25th word") improves theft resistance, but none of these devices changes the nature of the problem: there is one place, or one brain, that holds the key to everything.

Multisig×Multisig (multi-signature)Configuration where a transaction must be signed by several independent keys to be valid (for example 2 of 3). Reduces the risk that a single key theft causes loss of funds.See in the lexicon → ("multi-signature") addresses this limit by requiring several independent signatures, produced by several distinct keys, to authorise a spend. An attacker who gets hold of a single key has nothing: they need at least M out of N. A key lost in a fire does not lock access to the funds as long as the others survive. Inheritance transmission can rely on cosigners without ever revealing the keys during your lifetime. This article explains when to move to multisig, how to choose between a turnkey solution and a personal setup, and why backing up the BIP380 descriptor matters as much as backing up the seeds themselves.

The principle: M signatures out of N keys

A multisig×Multisig (multi-signature)Configuration where a transaction must be signed by several independent keys to be valid (for example 2 of 3). Reduces the risk that a single key theft causes loss of funds.See in the lexicon → wallet×WalletSoftware or device that manages your Bitcoin keys and lets you sign transactions. A wallet does not really « hold » your bitcoins, it holds the keys that prove you own them.See in the lexicon → is defined by two numbers: N, the total number of independent keys that make up the wallet, and M, the number of signatures required to validate a transaction. The most common configurations are 2-of-3 (two signatures from three cosigners) and 3-of-5 (three out of five). 2-of-2 exists but is discouraged: the loss of a single key locks the funds permanently.

Each key is a regular BIP39×BIP39Standard defining the list of 2,048 words used for seed phrases. Lets every wallet brand generate seeds that are compatible with each other.See in the lexicon → seed, generated and stored as in a standard wallet, on a dedicated hardware wallet×Hardware walletSmall dedicated device (Ledger, Trezor, Coldcard, BitBox, etc.) that keeps the private key away from a potentially compromised computer. Signs transactions inside the device itself.See in the lexicon →. The difference is in the role: no single seed gives access to the funds. To spend, you produce a partial signature on device 1 (PSBT×PSBT (Partially Signed Bitcoin Transaction)Standard format (BIP 174) that lets you build a transaction on one device, sign it on another and broadcast it from a third. Backbone of the modern multisig workflow.See in the lexicon →, Partially Signed Bitcoin Transaction, BIP174), pass it to device 2 which adds its signature, and only when M signatures are gathered can the transaction be broadcast to the network.

Three fundamental properties stem from this mechanic:

• Loss resilience. On a 2-of-3, you can lose one seed and keep access to the funds with the other two. You then rebuild a new multisig to replace the lost key.
• Theft resistance. A burglar who finds a steel plate at your place gets one seed out of three: they can do nothing alone. To empty the wallet, they would need to find two of the three keys, ideally geographically distant.
• Coercion resistance. Even under duress, you cannot sign alone. An attacker who demands an immediate transfer hits a protocol obstacle: organising the signature of the two other cosigners takes time and creates opportunities.

Multisig has worked natively on Bitcoin since 2012 (BIP11, BIP16). It is invisible on-chain since Taproot×TaprootMajor Bitcoin upgrade activated in November 2021 (BIP 341). Brings more privacy, scripting flexibility and the efficiency of Schnorr signatures.See in the lexicon → (BIP341, 2021), which also improves privacy: a multisig transaction now looks like a regular single-sig transaction to an outside observer.

What multisig actually solves

Multisig×Multisig (multi-signature)Configuration where a transaction must be signed by several independent keys to be valid (for example 2 of 3). Reduces the risk that a single key theft causes loss of funds.See in the lexicon → changes nothing about the cryptographic security of Bitcoin itself: a single seed properly managed remains unbreakable by brute force. What it changes is the topology of trust. The whole benefit lies in five concrete scenarios.

Scenario 1: seed lost or destroyed. On a single-seed wallet×WalletSoftware or device that manages your Bitcoin keys and lets you sign transactions. A wallet does not really « hold » your bitcoins, it holds the keys that prove you own them.See in the lexicon →, losing the seed is final. On a 2-of-3, you lose one copy, the funds remain accessible with the other two. You rebuild a new multisig with a fresh seed to replace the lost one, then migrate the funds. It is no longer a catastrophe, just a maintenance operation.

Scenario 2: home burglary. On a single-seed, if the thief finds the steel plate (or paper note), they empty the wallet. On a distributed 2-of-3 (for example: home, bank safe, trusted relative or second home), the thief would need simultaneous access to at least two of the three locations. Statistically unlikely.

Scenario 3: phishing×PhishingAttack where someone impersonates a legitimate service via email, SMS or clone website, in order to extract your credentials or your seed phrase.See in the lexicon → or targeted malware. On a single-seed, if you type the seed on a malicious website or an infostealer finds it on your PC, the wallet is gone in minutes. On a multisig where each key lives on a distinct air-gapped×Air-gappedDevice fully disconnected from the Internet (not even USB). Top security level for signing a multisig transaction in a cold wallet.See in the lexicon → hardware, the attack must compromise M independent devices. Hard enough that the attack moves on.

Scenario 4: unprepared death. On a single-seed with no transmission setup, bitcoins die with you. On a collaborative multisig (Casa Inheritance, Unchained legacy) or personal multisig with an heir cosigner, the procedure is documented: the heir(s) sign with their key, plus the key they receive at death, and access the funds without you ever having revealed a seed during your lifetime.

Scenario 5: "rubber-hose attack". A physical-coercion attack on the holder. On a single-seed, the attacker gets everything in one session. On a multisig with a geographically distant key (a bank safe closed outside business hours, for example), the attacker cannot empty the wallet immediately, which makes the attack much less profitable.

These scenarios are not theoretical: each has caused documented bitcoin losses over the past ten years. Multisig is not paranoia, it is the architectural answer to observed risks.

When to switch: threshold and trade-offs

Multisig×Multisig (multi-signature)Configuration where a transaction must be signed by several independent keys to be valid (for example 2 of 3). Reduces the risk that a single key theft causes loss of funds.See in the lexicon → is not free. It introduces real operational complexity that must be weighed against the benefits.

Hardware overhead. Three distinct hardware wallets cost 250 to 500 EUR instead of 80 to 230 EUR for a single. Multiplied by the three metal plates for backups, you are looking at 400 to 800 EUR of initial outlay.

Daily complexity. A routine Lightning spend may still involve manually signing on two devices. For a large L1 transaction, you must pull two hardwares from their respective locations, plug them in, sign, transmit the PSBT×PSBT (Partially Signed Bitcoin Transaction)Standard format (BIP 174) that lets you build a transaction on one device, sign it on another and broadcast it from a third. Backbone of the modern multisig workflow.See in the lexicon →, sign again. Plan for 15 to 30 minutes per transaction if your keys are geographically distributed. Much more if one key is in a bank safe (you can only sign during opening hours).

Operational risk. A misconfigured multisig can lock access to funds just as definitively as a lost seed. Backing up the descriptor (see below) is an extra point of failure no one anticipates at first.

Given these frictions, here are the practical thresholds that have stabilised in the community:

• Up to 10,000 EUR held. Single-seed + hardware wallet×Hardware walletSmall dedicated device (Ledger, Trezor, Coldcard, BitBox, etc.) that keeps the private key away from a potentially compromised computer. Signs transactions inside the device itself.See in the lexicon → + metal plate + optional BIP39×BIP39Standard defining the list of 2,048 words used for seed phrases. Lets every wallet brand generate seeds that are compatible with each other.See in the lexicon → passphrase×PassphraseExtra word or phrase you add to your seed phrase to create a hidden wallet. Optional security layer, independent of the seed.See in the lexicon →. Multisig here is over-engineering that costs more in operational risk than it returns in security.
• 10,000 to 100,000 EUR. Grey area. Single-seed with passphrase and redundant backups (two plates in two locations) remains reasonable. Multisig becomes worth it if you travel a lot, are publicly identified as a bitcoiner×BitcoinerPerson interested in Bitcoin, who holds some and adheres more or less to its values (individual sovereignty, sound money, decentralisation).See in the lexicon →, or are preparing transmission.
• Above 100,000 EUR. Multisig recommended. The complexity overhead amortises well against the asymmetry "irreversible loss vs small inconvenience".
• Above 1,000,000 EUR. Multisig mandatory, and probably combined with a collaborative service like Casa or Unchained for transmission guarantee and documentation quality.

Another criterion: personal profile. A Bitcoin developer who handles PSBTs daily can move to multisig from 5,000 EUR without pain. A retiree who rarely touches their wallet×WalletSoftware or device that manages your Bitcoin keys and lets you sign transactions. A wallet does not really « hold » your bitcoins, it holds the keys that prove you own them.See in the lexicon → should wait for a higher threshold and favour assisted solutions.

Personal multisig with Sparrow Wallet

For users who want zero dependence on a third party, personal multisig×Multisig (multi-signature)Configuration where a transaction must be signed by several independent keys to be valid (for example 2 of 3). Reduces the risk that a single key theft causes loss of funds.See in the lexicon → built with Sparrow Wallet×WalletSoftware or device that manages your Bitcoin keys and lets you sign transactions. A wallet does not really « hold » your bitcoins, it holds the keys that prove you own them.See in the lexicon → is the reference. The principle: three hardware wallets from three different brands, Sparrow as coordinator, backups geographically distributed, descriptor backed up separately.

Choosing three distinct brands (for example Ledger×Ledger, Trezor, Coldcard, BitBoxMain hardware wallet brands. Ledger Nano S Plus / X (French, the best-seller), Trezor Model T (Czech, open source), Coldcard Mk4 (Canadian, ultra-secure, Bitcoin-only), BitBox02 (Swiss, open source).See in the lexicon → + Trezor×Ledger, Trezor, Coldcard, BitBoxMain hardware wallet brands. Ledger Nano S Plus / X (French, the best-seller), Trezor Model T (Czech, open source), Coldcard Mk4 (Canadian, ultra-secure, Bitcoin-only), BitBox02 (Swiss, open source).See in the lexicon → + Coldcard×Ledger, Trezor, Coldcard, BitBoxMain hardware wallet brands. Ledger Nano S Plus / X (French, the best-seller), Trezor Model T (Czech, open source), Coldcard Mk4 (Canadian, ultra-secure, Bitcoin-only), BitBox02 (Swiss, open source).See in the lexicon →, or Trezor + BitBox×Ledger, Trezor, Coldcard, BitBoxMain hardware wallet brands. Ledger Nano S Plus / X (French, the best-seller), Trezor Model T (Czech, open source), Coldcard Mk4 (Canadian, ultra-secure, Bitcoin-only), BitBox02 (Swiss, open source).See in the lexicon → + Coldcard) is deliberate: it protects against a manufacturer-specific bug that would render the entire fleet unusable. If Ledger one day ships a faulty update, your other keys remain operational.

The flow of a personal 2-of-3 setup:

1. Initialise each hardware independently. Three seeds generated on three devices, three metal plates engraved immediately, three distinct storage locations (home, bank safe, trusted relative or second home).
2. Export the multisig xpub×xpub (extended public key)Extended public key. Lets a read-only wallet see addresses and balances without being able to sign. Used for tracking and observation.See in the lexicon → from each device. Each hardware provides an extended public key×Public keyNumber derived mathematically from the private key, used to build a Bitcoin address. Can be shared freely.See in the lexicon → (xpub) in BIP48 P2WSH or BIP86 Taproot×TaprootMajor Bitcoin upgrade activated in November 2021 (BIP 341). Brings more privacy, scripting flexibility and the efficiency of Schnorr signatures.See in the lexicon → format. Retrieve on Sparrow via USB or via exported file.
3. Create the multisig wallet in Sparrow. Wallet type "Multi Signature", quorum 2-of-3, adding the three xpubs. Sparrow then computes the full BIP380 descriptor that defines the wallet.
4. Back up the descriptor. Sparrow generates a .json file or displayable text. To be backed up in addition to the three seeds, in several places, ideally also on a metal plate or printed and stored like a seed (the descriptor is not a secret in the same sense, but it is essential to recovery).
5. Test with a small amount. Send 50 EUR to the multisig from an exchange×ExchangeService that lets you buy, sell and swap cryptocurrencies against fiat money. Examples : Kraken, Coinbase, Bitstamp, Bitvavo. Most are custodial.See in the lexicon →. Once confirmed, simulate a full spend: generate a PSBT×PSBT (Partially Signed Bitcoin Transaction)Standard format (BIP 174) that lets you build a transaction on one device, sign it on another and broadcast it from a third. Backbone of the modern multisig workflow.See in the lexicon → on Sparrow, sign on device 1, transfer the PSBT to device 2, sign, broadcast. If the transaction goes out, the multisig is viable.

Once the multisig is operational, never touch it otherwise than through this flow. And document the procedure for yourself (in an instruction letter with a notary or relative, without disclosing the seeds) and for your potential heirs.

The BIP380 descriptor: the forgotten backup

The most common mistake on personal multisigs is believing that the three seeds are enough to rebuild the wallet×WalletSoftware or device that manages your Bitcoin keys and lets you sign transactions. A wallet does not really « hold » your bitcoins, it holds the keys that prove you own them.See in the lexicon →. They are not. To recover the funds, you also need the descriptor: the string that defines the wallet (quorum, order of the xpubs, script type, derivation path). Without the descriptor, even with the three seeds in hand, you cannot reconstruct the exact address that holds your bitcoins.

The descriptor, defined by the BIP380 standard, looks like this:

wsh(sortedmulti(2,[fingerprint1]xpub1.../0/*,[fingerprint2]xpub2.../0/*,[fingerprint3]xpub3.../0/*))

Three key features:

• It contains the xpubs of the three keys. These are not secrets strictly speaking (xpubs do not reveal private keys), but their leakage lets an observer track all your transactions; protect them as private data.
• It defines the quorum and the order. 2-of-3 with xpub1 + xpub2 + xpub3 in that exact order generates different addresses than xpub3 + xpub1 + xpub2. The sortedmulti function in Sparrow sorts alphabetically, which removes that dependency; but confirm it for every configuration.
• It is essential. Without the descriptor, you must guess the exact configuration. With 3 different-brand hardwares and several possible derivation schemes (BIP48 P2WSH, BIP86 Taproot×TaprootMajor Bitcoin upgrade activated in November 2021 (BIP 341). Brings more privacy, scripting flexibility and the efficiency of Schnorr signatures.See in the lexicon →, etc.), the combinations are numerous. Several documented cases of funds blocked for weeks due to a lost descriptor.

How to back up the descriptor:

• Export from Sparrow (.json file or text) and store several copies: on an encrypted USB drive at home, on an external drive at a relative's, ideally also printed and placed with the seed backups.
• Some hardware (Coldcard×Ledger, Trezor, Coldcard, BitBoxMain hardware wallet brands. Ledger Nano S Plus / X (French, the best-seller), Trezor Model T (Czech, open source), Coldcard Mk4 (Canadian, ultra-secure, Bitcoin-only), BitBox02 (Swiss, open source).See in the lexicon →, Trezor×Ledger, Trezor, Coldcard, BitBoxMain hardware wallet brands. Ledger Nano S Plus / X (French, the best-seller), Trezor Model T (Czech, open source), Coldcard Mk4 (Canadian, ultra-secure, Bitcoin-only), BitBox02 (Swiss, open source).See in the lexicon → Safe 5) allow storing the descriptor directly on the device, which helps recovery.
• Document the descriptor in the instruction letter passed to the notary or heir, without including the seeds.
• Test recovery from the descriptor alone + one of the seeds, in a throwaway wallet, to verify×Don't trust, verifyBitcoiner mantra. Trust no one (bank, government, exchange, influencer), verify on your own through your own node.See in the lexicon → you know how to do it and that the configuration is correct.

A metaphor: the seed is the key, the descriptor is the plan of the safe. Without the plan, you don't know where to insert it.