Module 8: Collaborative Custody and Multisignature

Goal: Design shared custody solutions for high-value clients

Learn how multisignature wallets distribute trust across multiple keys, eliminate single points of failure, and provide the security model best suited for significant Bitcoin holdings.

Why Multisig Exists

Single-signature self-custody (Module 7) solves counterparty risk but introduces a new problem: a single seed phrase is a single point of failure. If it is stolen, compromised, or lost, the Bitcoin is gone. Multisig solves this by requiring multiple keys to authorize any transaction.

How Multisig Works

A multisignature wallet requires M of N keys to sign a transaction. The most common configuration is 2-of-3: three keys exist, and any two must sign to move funds.

No single key can spend: A thief who steals one key cannot move the Bitcoin
One key can be lost: The remaining two keys can still access the funds
Geographic distribution: Keys stored in different locations, different devices, different jurisdictions
No single point of trust: No individual — including the advisor — has unilateral control

Common Configurations

2-of-3: Most popular. Balances security with recovery. One key can be lost without losing access. Ideal for most HNW clients.
3-of-5: Higher security threshold. Used for institutional treasuries or very large holdings. More complex to manage.
2-of-2: Both keys required. Maximum security but no redundancy — if one key is lost, funds are permanently inaccessible. Rarely recommended.

Key Holder Selection

Who holds each key in a multisig setup is the most important design decision. The distribution determines the security model, the recovery options, and the inheritance path.

2-of-3 Key Distribution Models

Model A: Client + Advisor + Custody Provider

Key 1: Client holds (hardware wallet at home)
Key 2: Collaborative custody provider holds (e.g., Unchained, Casa)
Key 3: Client holds in separate location (bank safety deposit box)

Advantage: Client controls 2 of 3 keys. Full sovereignty. Provider assists with transaction coordination and inheritance.

Model B: Client + Trusted Person + Custody Provider

Key 1: Client holds (hardware wallet)
Key 2: Trusted family member or attorney holds
Key 3: Collaborative custody provider holds

Advantage: Built-in inheritance path. If client is incapacitated, trusted person + provider can access funds.

Model C: Fully Self-Managed

Key 1: Client hardware wallet A (home)
Key 2: Client hardware wallet B (office or second property)
Key 3: Client hardware wallet C (bank safety deposit box)

Advantage: Zero third-party involvement. Maximum privacy. Disadvantage: No external help if client loses access to two locations.

Collaborative Custody Providers

Several companies specialize in helping individuals and advisors set up and manage multisig wallets. They typically hold one key in the multisig setup and provide software, support, and inheritance coordination.

Unchained

Model: 2-of-3 (client holds 2 keys)

Advisor program: Yes — dedicated advisor onboarding and co-branded experience

Inheritance: Built-in key transfer protocol

Pricing: Annual subscription ($250+/year)

Best for: Advisors who want a structured, supported multisig platform with client-facing tools

Casa

Model: 2-of-3 or 3-of-5

Advisor program: Limited

Inheritance: Casa Covenant (dedicated inheritance product)

Pricing: Tiered ($130–$250+/year)

Best for: Clients who want a polished mobile-first experience with premium support

Nunchuk

Model: Flexible M-of-N

Advisor program: No (self-serve)

Inheritance: Manual (no managed service)

Pricing: Free tier available; premium from $15/month

Best for: Technically comfortable clients who want full control and flexibility at lower cost

Recovery and Inheritance Planning

What Happens When a Key Is Lost?

In a 2-of-3 setup, losing one key does not mean losing funds. But it does mean the setup is temporarily degraded to a single point of failure until the lost key is replaced.

Detect the loss. Discover that one key is inaccessible (device failure, forgotten location, etc.).
Use remaining two keys to move funds. Sign a transaction with the two available keys to send Bitcoin to a new multisig wallet.
Generate a new third key. Set up a replacement key on a new hardware wallet.
Create the new multisig wallet. Register the new 2-of-3 configuration with the replacement key.
Transfer funds to the new wallet. Complete the migration from old to new multisig.

Critical: This recovery process must be documented and tested before it is needed. Module 10 covers the inheritance-specific aspects of this planning.

The Multisig Wallet Configuration File

Unlike single-sig wallets, multisig wallets require a wallet descriptor (or configuration file) that identifies all participating keys. This file does not contain private keys — it contains the public keys and the M-of-N policy.

Without this file, even possessing all private keys is not sufficient to reconstruct the wallet
The configuration file should be backed up alongside (but separate from) the seed phrases
Collaborative custody providers typically store this file on behalf of the client

Advisor Exercise: Design a Multisig Setup for a High-Net-Worth Client

Time: 60 minutes

Scenario: Your client is a 58-year-old business owner with $2.4M in Bitcoin, currently all on Coinbase. She is married, has two adult children, and wants maximum security with a clear inheritance path. She is not technically savvy but is willing to learn.

Design the Following:

Configuration: What M-of-N setup? Which key distribution model from above? Why?
Key holders: Who holds each key? What hardware wallet for each key? Where is each key stored?
Collaborative provider: Would you use Unchained, Casa, Nunchuk, or none? Why?
Migration plan: How do you move $2.4M from Coinbase to the new multisig? Timeline and batch sizes?
Inheritance plan: If the client dies unexpectedly tomorrow, how do the children access the Bitcoin? Who do they contact? What documents do they need?
Testing: How do you verify the setup works before the full migration? What does the test look like?
Ongoing management: What is the annual review process? When would you recommend changing the setup?

Discussion: Tradeoffs in Multisig Complexity

Multisig is more secure than single-sig, but it also introduces operational complexity that can itself become a risk.

Complexity risk: If the client doesn't understand their own setup, they may panic and make errors during a recovery scenario
Provider dependency: Using a collaborative provider means trusting that company will still exist in 10-20 years
Coordination overhead: Every transaction requires coordinating multiple devices, which slows down the process
Cost: Provider fees, multiple hardware wallets, and storage costs add up

Group question: At what allocation size does the security benefit of multisig clearly outweigh the operational complexity? Is there a case where single-sig is actually safer for a specific client?

Client Tool: Multisig Suitability Assessment

Use this to determine whether a client should move to multisig or remain on single-sig:

Allocation over $250K? → Multisig strongly recommended
Client willing to manage multiple hardware wallets? → If no, use collaborative provider to reduce burden
Clear inheritance needs? → Multisig with inheritance-ready key distribution
Multiple geographic locations available for key storage? → Required for proper multisig security
Willing to pay $250+/year for collaborative custody? → If no, consider self-managed multisig with Nunchuk or Sparrow
Comfortable with annual security review? → Required regardless of provider choice

Client Tool: Multisig Setup Documentation Template

Every multisig setup should include a written record (stored securely, separate from keys) covering:

☐ Configuration: M-of-N setup (e.g., 2-of-3)
☐ Key 1: Device type, location, who has access
☐ Key 2: Device type, location, who has access
☐ Key 3: Device type, location, who has access
☐ Wallet descriptor file: Where is it backed up?
☐ Collaborative provider: Name, account details, support contact
☐ Recovery procedure: Step-by-step for lost key scenario
☐ Inheritance instructions: Who to contact, in what order, with what documents
☐ Last verification date: When was the setup last tested?
☐ Next review date: Scheduled annual check

Key Takeaways

Multisig eliminates single points of failure by requiring multiple keys to authorize transactions
2-of-3 is the standard configuration for most high-net-worth clients — secure yet recoverable
Key holder selection and geographic distribution are the most important design decisions
Collaborative custody providers (Unchained, Casa, Nunchuk) simplify multisig management but introduce provider dependency
The wallet configuration file is as important to back up as the seed phrases themselves
Every multisig setup must include a documented, tested recovery procedure and inheritance plan (Module 10)

← Previous: Self-Custody Next: Day 3 - Bitcoin Tax Treatment →