Here’s how it would work:
- Multi-sig, if possible — The solution would be built on multi-sig technology, so that I don’t have to trust the service provider. This is not a hard requirement. If to implement the other features required custodianship for technical reasons, and if I was comfortable with the provider’s security architecture, I might consider it anyway.
M-of-N signatures — The wallet would require m-of-n signatures for transactions. I would require two of, say, five. I would specify Friends A, B and C as signatories on the account.
Collusion prevention — Signatories have no account visibility, and are selected for notification only when I perform a transaction. Generally, I would only request Friend A to sign. This helps prevent collusion, as Friends A, B and C don’t know about each other’s participation in my account. In fact, Friends B and C don’t even know they are signatories on the account unless and until I choose to notify them (say, Friend A passes away.)
Privacy — When a signatory is notified that I’ve requested their signature on a transaction, details about the transaction are not visible to them. They never know my balance, nor the amount of transactions.
Time delay — I want the option that any time a transaction is authorized, there’s a 24 to 48 hour delay, during which I’m notified and have the possibility to cancel.
SafeSend — Above a certain threshold, the service will first make a small transfer, and wait for me to confirm before sending the rest. This prevents accidentally entering the wrong destination address.
Duress — Unrelated to the service, but I would establish a duress code with Friend A, in case I contacted him, well, under duress.
Inheritance — On each signatory, I can set a flag, “Notify on inheritance”, the use of which is explained below.
Dead-man’s-switch — The provider would offer a “dead-man’s-switch” service which emails me every two weeks asking if I’m alive. To respond, I just click a link; no login required (this has to be frictionless).
Trigger — The service continually tries to contact me for two weeks. If I don’t respond, the switch triggers and “Notify on inheritance” signatories are notified and given admin rights to the account. They also receive a pre-written message from me. (I would PGP encrypt that message, since it would be stored on the provider’s servers.)
Independent recovery — The service would have to provide a means by which I could recover my funds, should something happen to them. It must not be possible for the provider to freeze my funds.
Backup key — The system would provide for a backup key, similar to how BitGo does this today.
From what I’ve seen, BitGo is the closest today to providing something like the above, though they are still far away from providing this particular solution. Other candidates would include Xapo and Coinbase.