COLDCARD logo
Shopping cart Shop

What is Bitcoin Multisig?

Bitcoin multisig requires more than one private key to authorize a transaction. Learn how m-of-n quorums work, what multisig eliminates, and when to use it.

Bitcoin multisig, or "multi-signature," is a wallet configuration that requires more than one private key to authorize a transaction. This ensures that no single key loss, theft, or compromise can result in total, permanent loss of your bitcoin.

Where a singlesig wallet has one key that controls everything, multisig distributes signing authority across multiple keys. This means no one key is sufficient on its own, and the spending policy is encoded at the protocol level, not enforced by any software or service.

The Problem Multisig Solves

Every singlesig Bitcoin wallet has concentrated points of failure that can result in the permanent loss of your bitcoin.

  1. Seed phrase discovered: If your sole seed phrase is discovered by the wrong person, then they can steal all your bitcoin while you still hold the device.

  2. Device and backup loss: If you lose your signing device, and the seed phrase that backs it up, your bitcoin becomes permanently inaccessible.

  3. Device stolen and PIN compromised: If your device is stolen and the thief knows your PIN, they can steal all your bitcoin.

In singlesig, your signing device and seed phrase are critical points of failure that can result in total loss of your bitcoin if compromised.

Several workarounds may appear to reduce singlesig risks, but do not actually eliminate them.

  • If you make multiple copies of your sole seed phrase, this can add redundancy to mitigate loss but it also multiplies the locations where it can be found or stolen.
  • Owning multiple hardware wallets derived from the same seed accomplishes nothing, since the same single seed is still the single point of failure.
  • Adding a BIP39 passphrase introduces a second factor, but if the passphrase is forgotten or destroyed, the funds are permanently locked, and if it is stored near the seed phrase, it adds no security against theft.

Multisig exists to alleviate this concentration of risk by distributing signing and recovery responsibilities across multiple keys and backups.

For small spending amounts, singlesig configurations can be acceptable since they require fewer steps to transact and the convenience can be an adequate tradeoff for the risk. For significant long-term savings, the concentrated points of failure deserves serious consideration.

How Does Bitcoin Multisig Work?

Multisig is Bitcoin's native mechanism for requiring multiple signatures before a transaction can be authorized. It is built into Bitcoin's scripting language and has been part of the protocol since BIP-11 in 2012. It is not a product or a service but a spending policy encoded in the transaction itself.

The core concept is the "m-of-n" threshold. A multisig wallet requires "M" signatures from "N" possible private keys to authorize a spend. The keys can be held by different people, on different devices, in different locations, and do not need to be present at the same time.

You can set up a multisig with a variety of possible configurations, however, the most common configurations and their uses are shown below.

Configuration Keys held Signatures needed Primary use
1-of-2 2 1 Two-location redundancy
2-of-2 2 2 Joint accounts, shared custody
2-of-3 3 2 Standard personal and institutional
3-of-5 5 3 Large institutional

2-of-3 is the standard for individual Bitcoin holders because it achieves both properties simultaneously: one lost key does not eliminate access, and one stolen key cannot enable theft. For most discussions relating to multisig, it is assumed that 2-of-3 is the default.

In the 2-of-3 arrangement, any two of the three keys can authorize a spend, and in any combination and sequence. For a more detailed treatment of how to select your quorum and distribute keys geographically, see 2-of-3 Multisig Explained.

Multisig requires more coordination, carries higher on-chain fees for traditional script types, and adds a required backup item, the output descriptor, that singlesig does not need. For significant savings these trade-offs are worth it, but the overhead is not always justified for smaller amounts.

Bitcoin supports multisig configurations up to 15-of-15 with traditional script types. Multisig can also be extended with time-based or condition-based spending policies using Miniscript.

How is a Multisig Transaction Signed?

In a multisig wallet, no single device signs alone. The unsigned transaction travels to each signing device in sequence, each adds its signature, and once the threshold is met, the transaction is ready to broadcast. No two private keys are ever on the same device.

The signing workflow has five steps.

  1. A watch-only coordinator (Sparrow or similar software, holding the wallet's xpubs but no private keys) constructs the unsigned transaction and formats it as a PSBT (partially signed bitcoin transaction).

  2. The PSBT travels to the first signing device. The device verifies that the transaction matches its registered wallet configuration and displays the transaction details on its own screen, including the destination address, amount, change address, and fee.

  3. After the user approves on the first device, the device adds its signature and returns the partially-signed PSBT to the coordinator.

  4. The once-signed PSBT travels to the second signing device. That device independently verifies the transaction details on its own screen and adds its own signature.

  5. The coordinator receives the signed PSBT, finalises it, and broadcasts to the Bitcoin network.

Each signing device independently verifies the transaction on its own screen, which one of multisig's underappreciated security properties. In a Coldcard-based multisig setup, this happens regardless of what the coordinator software displays.

The PSBT format is what makes this coordinated workflow possible. For a full explanation of how PSBTs carry partial signatures between multiple signers, see What is a PSBT?.

The Output Descriptor: The Backup Most People Forget

In a singlesig wallet, the seed phrase alone is sufficient for recovery. In a multisig wallet, the seed phrase is necessary but not sufficient. Recovery also requires the wallet descriptor, a document that encodes the complete spending policy.

The descriptor contains three essential pieces of information:

  1. The script type

  2. The m-of-n threshold

  3. All N extended public keys (xpubs) with their derivation paths and key fingerprints

Without the descriptor, possessing two of three seed phrases is not enough to reconstruct the multisig wallet or locate its funds. You know the private keys, but you do not know which xpubs belong to this wallet, in what order, or with what derivation paths. The funds are technically accessible but practically unreachable without significant technical reconstruction work.

The descriptor must be backed up separately from all seed phrases and stored with the same level of care. It is not a secret itself, since it contains no private key material, but losing it creates a serious recovery problem. Keeping it accessible alongside the seed phrase backups (but not physically co-located with any single seed) is the right approach.

The backup should be treated as mandatory, since reconstruction without it is technically demanding even with all seed phrases intact.

A multisig setup without a descriptor backup is less recoverable than it appears.

Is Multisig Right for You?

Multisig is appropriate when the cost of losing funds or having them stolen justifies the added operational complexity, which for most holders is a function of how much they hold and how long they plan to hold it.

Multisig is worth considering when:

  • Holdings are large enough that single-key risk is unacceptable
  • Storage is long-term with infrequent transactions
  • Inheritance planning or estate security requires multiple signers
  • A business or institution requires shared signing authority

Singlesig with a hardware wallet and a strong BIP39 passphrase may be sufficient when holdings are more modest, when the complexity of three devices and descriptor backup is not yet warranted, or when frequent transactions make multisig coordination impractical.

A well-executed singlesig setup is better than a poorly-executed multisig setup. Multisig adds security only if the descriptor is backed up, the devices are distributed geographically, and recovery has been tested.

Solo multisig, where you hold all three keys yourself, is covered in 2-of-3 Multisig Explained, while Collaborative multisig, where a trusted third party holds one key as a recovery backstop, is covered in Collaborative Bitcoin Custody vs Solo Multisig.

Related articles

What is a Hardware Wallet?

The signing device foundation for multisig, and how private keys are isolated in hardware during the signing workflow.

Read article

2-of-3 Multisig Explained

The most common multisig configuration in detail, covering quorum design, key distribution, and what makes 2-of-3 the standard for individual holders.

Read article

Collaborative Bitcoin Custody vs Solo Multisig

The key choice once you decide multisig is right, between holding all keys yourself and using a service to hold one.

Read article

What is a PSBT?

The transaction format that makes multisig coordination possible by carrying partial signatures between multiple signing devices.

Read article