A single hardware wallet used properly will protect you from most attacks except for:
- Losing all copies of your seed or passphrase
- An attacker getting your seed through coercion or theft
- Attacks from the hardware device itself
Multisig eliminates these threats since an attacker will need 2 or more of your seeds. If you lose a seed you can still access your funds. Here’s how to go about it:
1. Choose a multisig software. Specter is trustless and free but requires a Bitcoin node. Blue Wallet is a good free mobile multisig. Semi-custodial companies that hold one of your keys are Casa with a monthly fee or Unchained with a fee to sign if-needed.
2. Pick a M-of-N multisig where M is less than N, such as 2-of-3. Give yourself some leeway, a 2-of-2 requires all your backups to work perfectly.
3. Store your seeds in different locations. This way a thief cannot steal your Bitcoin even if they have access to a single location such as your house.
4. Backup your wallet info in all locations. Backup pubkeys from your multisig software in several locations, you’ll need them to recover if you lose a seed.
5. Practice recovery without one of your seeds. Using your pubkey backup, make sure you know how to recover your wallet using only 2 of your 3 seeds.
6. Avoid using devices from the same manufacturer. Do not expose yourself to risk from a single manufacturer.
7. Use devices that can verify multisig receive and change addresses. Your hardware wallet should store all the pubkeys in order to verify addresses such as the ColdCard, CoboVault, and BitBox02.
A guide on how to use Specter + ColdCard + CoboVault can be found here.