I get the same question every few weeks, in some variation: “Is a hardware wallet enough, or should I do multisig? And what about SeedQR?” The answer everyone gives is “it depends on your threat model” — which is technically correct and practically useless if you don’t yet have a threat model.
This is the version of that conversation I wish someone had given me when I started. It’s structured around what actually fails in each setup, not around abstract security ratings. By the end, the right answer for your situation should be obvious.
TL;DR. A single hardware wallet with a paper or steel BIP-39 backup is the right answer for most people holding under ~$50K — simple, works, the failure modes are well-understood. Above that, the math on multisig starts to favor 2-of-3 with geographic distribution; below that, the operational complexity adds more risk than it removes. SeedQR is a backup format, not a separate strategy — it pairs with either approach. The single biggest failure across all setups is not technical: it’s losing access yourself, usually because the backup procedure was never tested.
What “cold storage” actually means
Cold storage just means private keys that are not connected to the internet. The keys generate addresses, sign transactions, and otherwise live their entire lives offline; only the unsigned transaction or PSBT (partially signed Bitcoin transaction) ever travels through an internet-connected device.
The threat that cold storage defends against is remote compromise: malware on your laptop, a phishing extension in your browser, a server that gets hacked. None of these can extract a key that was never on a connected machine. Cold storage does not defend against:
- Physical theft of the device + backup. Solved separately by encryption (passphrase) or geographic distribution.
- Coercion. Someone at your door demanding access. Solved by plausible-deniability schemes (decoy wallets) or by simply not having the keys easily reachable.
- Loss / forgetfulness. The most common failure. Solved by tested backups and by having someone else who can recover if you become unavailable.
- Software bugs in the device firmware itself. Mitigated by sticking with well-audited devices and avoiding bleeding-edge firmware on funds you cannot afford to lose.
Each storage strategy below trades among these. There is no strategy that minimizes all of them at once.
Strategy 1 — Single hardware wallet + steel backup
The default. Buy a hardware wallet direct from the manufacturer — Ledger (affiliate link) , Trezor (affiliate link) , Coldcard (affiliate link) , or BitBox (affiliate link) — set it up offline, write the 24-word BIP-39 phrase on a steel plate (Cobo Tablet, Blockmit, Steelwallet, or a DIY punched plate), store the plate somewhere fire- and water-resistant.
Verify the device is genuine before generating a seed (Ledger calls this “Genuine Check”; Trezor uses Trezor Suite’s verification). Verify the companion app installer with our Wallet verify tool — the app you install is what asks the device to sign things, so a tampered app on a genuine device still drains funds. Verify your first receive address by deriving it on the device itself, not just by trusting the companion app’s display.
What this defends against well:
- Remote compromise of the connected machine. The keys never leave the device.
- House fires (with a steel backup and a fireproof storage location).
- Single-event mistakes — fat-fingering a transaction, signing the wrong address — because the device’s screen forces you to confirm what you’re signing.
What it doesn’t defend against:
- Single point of failure on the seed. Anyone who finds the steel plate can move all the funds. If the plate is in your safe and someone breaks into your safe, you’re done.
- Coercion. If someone is willing to apply force, the device is a single object that does the signing, and you can sign yourself.
- Loss + amnesia + no backup of the backup. A surprising number of “I lost my Bitcoin” stories are not technical failures. They are people who put the seed somewhere “safe” and either forgot where, or moved out and don’t remember which storage unit it ended up in.
This is the right setup for most users with under $50K in long-term storage. It’s simple, well-documented, the failure modes are concrete, and the operational overhead is genuinely low — you set it up once, test the backup once a year, and otherwise leave it alone.
Strategy 2 — Multisig (2-of-3 or 3-of-5)
A 2-of-3 multisig wallet uses three independent keys, and any signature requires two of them to cooperate. Typically those keys live on three different hardware wallets — a Coldcard at home, a Trezor in a safe deposit box, a BitBox at a trusted family member’s house, for example.
The defining property: there is no single object whose loss or compromise is fatal. Lose the device at home? You still have the safe deposit box and the family member’s device — recover with those two. Someone breaks into your house and finds the device + an unencrypted seed backup? They have one key. They cannot move funds without two.
This is enormously powerful, and it comes with operational cost that most multisig advocates undersell:
- Three pieces of hardware to set up correctly. Each one has to be verified genuine, each one’s seed has to be backed up to steel, and the three xpubs have to be assembled into a multisig descriptor in coordinator software (Sparrow, Specter, Caravan, Blue Wallet).
- The wallet descriptor itself is a backup. If you have all three seeds but not the descriptor (xpubs in their proper order, derivation paths, script type), recovering funds requires reconstructing the descriptor — which is possible but error-prone. Wallet vendors have started shipping
mnemonic + descriptorpaper backups; use them. - Heir / continuity planning gets harder. If something happens to you, the people you’d want to be able to recover funds need to know which two of three keys to find, where to find each, and how to use the coordinator software. This is a non-trivial document for a non-technical heir.
- Channel-opening on Lightning is not multisig. If you use Lightning, your channel is a 2-of-2 with the channel partner, and the recovery path is different. Multisig is for cold storage; Lightning balances are a separate operational layer.
What this defends against:
- Single hardware wallet compromise. Even if one device is shipped with a malicious firmware, it can only contribute one signature. Funds need two.
- Coercion at one location. Someone at your front door cannot move funds even with full physical access to your home setup.
- Geographic catastrophe. A house fire that destroys the safe and the backup steel plate is survivable if one of the keys is genuinely off-site.
What it doesn’t help with:
- Operational mistakes during setup or recovery. A misordered xpub list at setup creates a descriptor that addresses don’t actually correspond to. People have lost funds to this. Test recover before deposit.
- Loss of the descriptor + two of three seeds. Multisig changes the failure mode but does not eliminate it. With one seed and a descriptor, you can derive that single signature; but signing requires two seeds and the descriptor.
Multisig becomes economically rational somewhere in the $50K–$250K range, depending on your tolerance for the operational complexity. Below $50K, the marginal security gain rarely justifies the marginal complexity. Above $250K, doing anything less than multisig starts to feel reckless in proportion to the asset size.
Strategy 3 — SeedQR / metal-printed seed backups
SeedQR is not a competing strategy — it’s a backup format that works with both single-sig and multisig setups. The basic idea: the 24-word BIP-39 mnemonic is encoded as a QR code, etched on a steel plate, and stored alongside (or instead of) the word list.
Advantages over a written word list:
- Faster recovery. You scan the QR with a hardware wallet that supports SeedQR (Coldcard, recent Foundation Passport firmware, Sparrow companion), instead of typing 24 words on a tiny keypad.
- No transcription errors. Writing or typing 24 words manually is a known source of single-character errors that fail the BIP-39 checksum and waste hours figuring out which word is wrong.
- Smaller surface for accidental disclosure. A QR code at a glance is harder to read than a word list; if someone walks past your safe with the door briefly open, they’re less likely to memorize the seed.
Disadvantages:
- Requires a scanner-capable device. If your only hardware wallet is a Trezor One, you cannot import a SeedQR — you’d need to use a third-party app to convert it back to words first.
- The format itself is a known target. Drainer tooling has begun including QR-from-photo recovery; if a photo of the QR code leaks (cleaning service, contractor, social engineering of you at home), the seed is gone. Same as a photo of the word list, but with marginally more attention from attackers.
SeedQR is a worthwhile upgrade over a written word list for any setup, but it is not a substitute for the hard problems multisig solves.
How to actually decide
I’d ask three questions, in order, and follow the obvious answer:
-
How much Bitcoin are you storing? Under $10K: a single hardware wallet with a paper backup is fine; the operational risk of more complex setups likely exceeds the security benefit. $10K–$50K: single hardware wallet with a steel backup, plus a tested recovery procedure. $50K–$250K: actively consider 2-of-3 multisig. Above $250K: multisig is the floor, not the ceiling — also think about geographic distribution and a documented heir plan.
-
Do you have someone who would need to recover this if you couldn’t? If yes, write a recovery plan now. Test it (or a sanitized version of it) with that person while you’re alive. Multisig is harder for heirs than single-sig — lean toward simpler single-sig + a robust paper recovery plan unless your asset size demands the multisig complexity.
-
What’s the most likely thing that would actually go wrong in your life? Not the cinematic threat. The mundane one. Most people lose funds because they (a) didn’t test the backup, (b) lost the backup in a move, (c) forgot the passphrase they thought was clever, or (d) trusted a tampered installer or an extension that exfiltrated the seed. Those four risks dwarf the exotic ones. Whatever you do, do something about each of them. Use our Wallet installer SHA-256 verifier before installing anything. Use our BIP-39 validator to confirm a hand-written word list passes its checksum before you trust it as a backup. Use our Address validator before any send.
What I personally do
For full transparency: I run a 2-of-3 multisig for the bulk of my long-term holdings, with one Coldcard at home, one BitBox02 in a safe deposit box, and one at a family member’s. The fourth-level backup is a written multisig descriptor + each seed transcribed onto steel, distributed across the same three locations. I have a separate single-sig hardware wallet for “operational” funds — anything I’d use for spending in the next 6 months — because the multisig signing flow is too cumbersome for a payment I’m making now. Lightning balances live in Phoenix on my phone, with Phoenix’s bLIP-39 seed backed up to steel in the same way.
That’s a setup that fits an asset size and a risk tolerance that may or may not match yours. The point isn’t that 2-of-3 is the right answer in absolute terms; it’s that the specific failure modes I’ve thought about are the ones I designed against. Your design should start from your specific failure modes, not from a generic security ladder.
The single most important thing — more important than the choice of strategy — is testing the recovery procedure before depositing serious money. Do a full wipe of the hardware wallet, recover from the backup, and confirm you can derive the same first address. Most “I lost my Bitcoin” stories trace back to this step being skipped. Don’t trust your backup until you’ve verified you can recover from it.