SSP Editorial Team

What self-custody actually requires of you — the honest list

·8 min read·By SSP Editorial Team
Navy SSP cover for What self-custody actually requires of you, with key, shield, fingerprint and CPU icons over a dark gradient

The marketing for self-custody is a single line: be your own bank. The honest version is longer. You inherit responsibilities that a custodian was absorbing on your behalf, and pretending otherwise is how people end up with empty wallets and a story that starts "I thought it was backed up".

This is the fourth article in the Self-Custody Fundamentals series. The previous post inventoried the seven failure modes of custodial exchanges. This one is the honest counterpart: what self-custody actually puts on you. Read this before deciding self-custody is "obviously" the right model for everything — for some assets and some users, the trade-offs flip the other way.

TL;DR

  • Self-custody trades a counterparty risk for an operational risk you own. The risks don't go to zero; they change shape.
  • The bill comes in five categories: backups, operational security (opsec), device management, recovery planning, and time and attention.
  • Most failures aren't dramatic — they're slow, mundane, and start with skipped steps months earlier (no backup written, seed photographed for convenience, recovery never tested).
  • A 2-of-2 multisig like SSP softens several of these — losing one device isn't catastrophic, key compromise needs both devices — but it doesn't eliminate them.
  • The right framing isn't "self-custody is hard". It's: you're substituting your discipline for the custodian's. Plan for that substitution honestly, or don't make it.

Category 1 — Backups

A custodian backs you up — by holding the keys to a balance they track in their database. You don't have to do anything to be "backed up".

Self-custody has no such party. The recovery material is the wallet — whether that's a 12/24 word seed phrase, a 2-of-2 device pair, or a hardware-wallet backup card. If that material is lost or destroyed, the funds are unrecoverable. Not "harder to recover". Unrecoverable.

What this means concretely:

  • Write down the seed when the wallet asks you to. Pen and paper, on the spot. Not a screenshot, not a note in a password manager, not "I'll do it tomorrow".
  • Store at least two copies, in physically separate locations. A fire, a flood, a theft, or a move shouldn't take out both copies. Common pattern: one at home in a fireproof bag, one with family or a safe-deposit box.
  • For meaningful amounts, use a metal backup. Paper survives a decade if you're careful. A metal plate survives most home fires. Steelplate and Cryptosteel are the common products; the seed-phrase best practices post covers the options.
  • Test the recovery before you trust it. Restore the seed onto a clean device once, verify the addresses match, then wipe and re-set-up. An untested backup is a hope, not a backup.

For SSP specifically, the 2-of-2 model means your "seed" is split into two: the SSP browser extension's master mnemonic plus the SSP Key mobile mnemonic. Both go through the same backup discipline — and either alone is not enough to recover the wallet.

Category 2 — Operational security (opsec)

Once the keys exist on your devices, the surface area changes. A custodian's opsec is their employees' problem; in self-custody it's yours.

The realistic threats for a typical user are not state-level adversaries. They are:

  • Malware — a clipboard-replacer that swaps your destination address for the attacker's at the moment you paste, an infostealer that grabs an unlocked seed file, a malicious browser extension that silently signs transactions you didn't intend.
  • Phishing — emails, DMs, and search-ad lookalikes that lead to a site that looks like a wallet you trust but isn't. Once you enter the seed, it's gone.
  • Physical access — anyone who reads your seed paper, anyone who picks up an unlocked phone, anyone who finds an unencrypted backup on a desktop.
  • Social engineering — phone calls or messages that walk you through "verification" steps that include reading your seed aloud, or installing remote-control software.

What this requires from you:

  • Don't type the seed anywhere it lives digitally. Not email, not Notes, not iCloud, not a cloud password manager. The seed is offline-only by design.
  • Verify the URL of any wallet site you sign into. Bookmark the canonical URL once. Type-check it every visit. Lookalikes are dirt cheap to produce; the only defence is bookmark discipline.
  • Use a separate user profile or browser for crypto if you can. Reduces the blast radius of a malicious extension.
  • Cross-check the destination address on a second device. SSP's 2-of-2 model makes this natural — the SSP Key mobile app displays the address before you sign, so a clipboard-replacer on the browser side gets caught.

You don't need military discipline. You need consistent, boring habits.

Category 3 — Device management

Custodians don't care which device you log in from. They authenticate the account, not the device. Self-custody inverts this: the device is the wallet. You now have to manage devices the way an admin manages servers.

The minimum responsibilities:

  • Keep the OS and the wallet software up to date. Older versions accumulate known vulnerabilities. The 24-hour update lag for security patches is real; close it.
  • Lock the device. A PIN or biometric on phone and laptop, with a short auto-lock interval. The wallet's own password is the last line, not the first.
  • Know the lifecycle. When you retire a device, wipe it before resale. When a device is lost, treat the wallet on it as compromised until you've migrated.
  • Don't store the seed on the same device the wallet runs on. Encrypted cloud backups of phone photos are how seeds end up on Apple's or Google's servers.

For 2-of-2 multisig, this list applies twice — once per device. The upside: losing one device is no longer instantly catastrophic. The downside: there are now two devices to keep current.

Category 4 — Recovery planning

The single highest-impact thing a self-custody user can do that almost nobody does is plan the recovery before they need it.

Recovery planning means answering, in writing, with the actual people involved:

  • What happens if I lose the device tomorrow? Where is the seed, what's the restore process, how long does it take?
  • What happens if I'm incapacitated or dead? Can the right person find the recovery material, do they know what it's for, and is the legal/inheritance side aligned (a will that references "crypto holdings" without specifying where the keys are is approximately useless)?
  • What happens if the seed is compromised but I still control the wallet? The answer is immediately move the funds to a new wallet with a fresh seed. Practice this once before you have to do it under stress.

The Wallet Recovery Scenarios series covers the inheritance and emergency-access angle in detail; the short version is that a hidden plan is not a plan. People who need the recovery material must be able to find it, in a form they can use, without you walking them through it.

For SSP's 2-of-2 setup, this story is more forgiving than single-seed wallets — losing your browser doesn't lose the wallet, the v1.38 wallet recovery flow handles that — but inheritance requires both backup sets, not one. Plan for both.

Category 5 — Time and attention

The least visible cost and the one that compounds. Custodians absorb the operational tax of running a wallet — they decide when to roll keys, when to apply patches, when to upgrade the chain integration. You delegate the attention.

In self-custody you take that attention back. Realistic time bill for a user holding meaningful amounts:

  • Initial setup: 1–2 hours done properly (writing the seed correctly, testing recovery on a second device, backing up in two locations).
  • Per-month: ~15 minutes of housekeeping — wallet updates, OS updates, an occasional check that the backup is still where you put it.
  • Per-quarter: 30 minutes — re-verify backups, check for advisories on the wallet software, review any new device or address you've added.
  • Per-year: 1–2 hours — full opsec review (devices, backups, recovery plan, anything that's drifted from your written plan).

This isn't a lot. It is, however, more than zero, and zero is what people often plan for. The pattern that hurts users is treating self-custody as set-and-forget — because the wallet keeps working, the discipline atrophies, and the gap shows up the first time something goes wrong.

What this means for you

Three honest takeaways:

  1. The trade-off is real, but it's not infinite. A few hours of setup and a few minutes a month of upkeep is the actual cost for the typical user. The "self-custody is too hard" framing usually means "I don't yet know what the work is" — once you do, it's manageable.
  2. Most self-custody failures are mundane. Lost seeds, photographed seeds, untested backups, "I'll back it up tomorrow". The dramatic stuff (state-level attackers, $5 wrench attacks) is rare. The boring stuff is constant. Plan for the boring stuff.
  3. 2-of-2 multisig softens the steepest cliffs. Losing one device, getting one key compromised, single-point seed failure — these stop being catastrophic in a 2-of-2 setup. They become recoverable incidents rather than terminal events. That's the design intent.

The next article in the series, self-custody without going to cold storage, looks at the middle path between leaving funds on an exchange and going full air-gapped — and why for most users the right answer lives in that middle.

Share this article

Related articles

Navy SSP cover for Self-custody checklist for your first $1,000, with wallet, key, shield and fingerprint icons over a dark gradient

Self-custody checklist for your first $1,000 — the concrete starter playbook

Eight ordered steps to set up SSP 2-of-2, write down both seeds, test recovery, and move your first $1,000 off the exchange in one afternoon.

8 min read
Navy SSP cover for Self-custody without going to cold storage, with wallet, key, shield and lightning icons over a dark gradient

Self-custody without going to cold storage — the middle path most users need

Self-custody isn't a single setup. The right point on the spectrum is warm storage — a multisig you actually use — not air-gapped cold storage.

8 min read
Navy SSP cover for The 7 failure modes exchanges can suffer, with shield, lock, hidden-eye and lightning icons over a dark gradient

The 7 failure modes exchanges can suffer (and what each one looks like)

Insolvency, hacks, freezes, exit scams, sanctions, KYC locks, withdrawal halts — the seven ways your funds can leave a custodial exchange.

9 min read