Many blockchain networks have added native support for multisig accounts as a more secure option compared to the default single-key accounts that most people use.
While a multisig approach has many far-reaching advantages, the primary benefit is drastically improved key security: to complete a transaction, you will need two or more valid keys. This eliminates single points of failure while opening the door for additional security measures to protect account funds.
One of those measures is the ability to keep multiple private account keys in different physical locations, completely offline, on an air-gapped machine, or in cold storage. By combining a multisig account with offline or cold key storage, you can greatly increase the security of accounts, particularly those storing and managing larger amounts of digital currency. A regular account has a single spending key associated with it that is needed in order to spend funds and sign other transactions. By contrast, a multisig account has multiple keys associated with it.
Jerry Brito, Executive Director of Coin Center, provides a great overview of multisignature technology and the increased security it provides to users of cryptocurrencies in this video from the Federalist Society.
Determining the Number of Keys for Your Multisig Account
When you set up a multisig account, you will need to specify how many total keys will be part of the account, and how many of those keys are needed in order to spend funds in the account. Sometimes this is referred to as M-of-N keys, where N is the total number of keys that are part of the account, and M is the number of keys needed to spend funds from the account. In practice, M is typically less than the total number of keys that the account has. For example, I could create a 2-of-3 multisig account where there are three private keys for the account, but any two of them can be used to spend funds in the account.
The 2-of-3 setup has good security properties. Consider this: if you secure each of the three keys in different locations, even if one of the keys is compromised, it alone cannot be used to steal funds. If you know that one of the keys has been compromised, you can use the other two keys to move the funds to another account, thus moving your funds to safety. The same scenario applies to the (possibly more likely scenario) where one of the keys is lost. You can use the other two keys to transfer the funds to a new account, thereby invalidating the lost key.
Requiring multiple people to sign a transaction provides an opportunity to implement a governance process around the movement of funds. For these reasons, multisig accounts are very often used to provide an additional layer of security for funds in an account.
Consider the previous 2-of-3 multisig example where, instead of three different locations, you give each of the three keys to a different person for safekeeping. A single person cannot decide to spend the funds in the multisig account — they will need at least a second user to agree before any funds can be spent. In a corporate setting, dividing authority in this way and requiring a quorum can be a useful tool for governance processes.
Choosing the correct values for M and N will be specific to the scenario, and multiple factors need to be considered. Examples of factors include: the amount of funds or assets in the account, the number of people involved in managing the funds in the account, and the frequency with which funds need to be accessed or moved. Very common configurations include 2-of-3 and 3-of-5, but higher numbers such as 7-of-10 are not uncommon.
As with many security-related things, there general is a tradeoff between security and convenience. A single key account is the most convenient but the least secure. A 7-of-10 multisig account, where you put each of the 10 keys on a Cryptosteel in 10 different bank safety deposit boxes in 10 different cities, has a lot more security. But assembling 7 of these 10 keys to send a transaction is a lot more work than the single-key setup. You have to decide the right place to be on the convenience-vs-security spectrum for any particular use case.
Always Keep Secrets Offline
The spending keys associated with a multisig account are best kept totally offline for storage, and only used on an air-gapped machine. This machine should not have an internet connection and should never have been on the internet. Any time a computer is on the internet, there is a risk that data on that machine has been compromised, so the risks of an online attack are greatly reduced by never having had an internet connection at all.
One approach to storing keys offline is to have a dedicated computer or laptop whose only purpose is to keep the account secrets and to perform signing actions. Theoretically, this would be the best and safest setup. However, this may not be practical or cost-effective for individuals who only have one computer, or don’t want to dedicate a computer to this task.
A less expensive (but still good) option is to use a bootable USB device. An Ubuntu 18.04 LTS bootable USB can serve well as an air-gapped machine. If you boot your computer with an Ubuntu bootable USB drive, you will have a full yet ephemeral Ubuntu installation without networking and that has never been on the internet.
Learn how to create your own multisig account using this step-by-step tutorial I created.