In this appendix we explain the pitfalls of 2-of-3 or 3-of-5 multisig setups and why they are bad.

Firstly, because there is no true 2-of-3 multisig in modern Bitcoin[20]. You need 3-of-3 public keys (three-of-three) AND 2-of-3 private keys (or seeds). If you lose 1 public key the funds are locked forever[21]. So, if you weren't taught this counter intuitive detail when you setup your 2-of-3 wallet and didn't explicitly backup all 3 public keys together *at each of the private key locations* (and redundantly in the cloud) then you didn't actually create a 2-of-3 wallet. Users poorly understand this detail and wallets poorly guide users on how to backup the public keys. HWW vendors may not have documentation on how best to use their device in a multisig setup. So, 2-of-2 outshines here because the user knows they cannot lose all copies of A and all copies of B. They can also reason with themselves about keeping copies of A away from copies of B.

Secondly, the premise of not requiring all keys like a 2-of-3 setup is steering the user to believe they're secure with only a single copy of each of the 3 keys and setting up a false security that two things will never go wrong at once. Otherwise, why not suggest a 4-of-6 multisig? If there should be copies of keys in a 2-of-3 setup that implies you should have a 4-of-6 setup. 3 locations and 3 keys? Or 3 locations and 6 keys? Also, in these 2-of-3 setups users are often instructed to use different signing devices for each of the keys. This leads to increased chance of user error due to having to learn different interfaces. It's more vendors that heirs need to rely on to buy replacement devices when the HWW inevitably breaks. Better entropy with dice rolls goes further to secure your setup than prioritizing a diversity of signing devices[22].

For a 2-of-3 wallet, there are 3 possible combinations of keys that can be used to authorize a transaction.

For a 3-of-5 wallet, there are 10 possible combinations of keys that can be used to authorize a transaction.

Let's dissect a 3-of-5 multisig setup. I have a problem with the requirement to need 5 uncorrelated locations. Do regular people have 5 separate locations to hide seeds? If they are solving that in a social way by giving friends and family seeds then how are they juggling in their heads the 10 possible ways those keys could be combined and make sure none of the 10 groups of 3 people will collude against them. Relationships change. What if 2 people who didn't know each other meet up at some large function like a wedding and become friends? How does the user account for these future possibilities?

Here again 2-of-2 shines as we can continue to grow our circle of trusted seed B guardians without ever losing sleep that some set of trusted people will collude against us.