If you chose a 2FA Protected account (formerly Multisig Shield) as your security policy, Blockstream Green adds an extra layer of security to your assets. Multiple keys are required to send a transaction, making it harder for thieves and hackers to steal your assets. The first key is on your device protected by a PIN code and is backed up with a 12 or 24 word recovery phrase. The second key is held on the Blockstream Green servers protected by two-factor authentication (2FA).
2FA Protected Account Types
You can create two types of 2FA Protected accounts in your Blockstream Green wallet. You can also have multiple accounts of different types in the same wallet.
Standard Accounts (2-of-2)
This is the default 2FA Protected account. Both keys are required to send a transaction.
In order to keep you in control, the 2FA key expires after 1 year by default, so that your funds can be spent only with your own key, instead of the usually required two signatures.
Key |
Location |
Protected by |
Backup |
1 |
Mobile or desktop device |
PIN code (different per device) |
Primary 24-word recovery phrase |
2 |
Blockstream Green servers |
2FA (same across devices) |
2-of-3 Accounts
This is a special type of account in Blockstream Green that is currently available for Bitcoin wallets only, not Liquid wallets.
Transactions are still sent in the same way as standard accounts, 2-of-3 accounts only provide an alternative option for recovery.
Whenever you create a new 2-of-3 account, the app will provide a third key in the form of secondary recovery phrase (in addition to your recovery phrase for key 1). Each 2-of-3 account will have a separate secondary recovery phrase
Key |
Location |
Protected by |
Backup |
1 |
Mobile or desktop device |
PIN code (different per device) |
Primary 24-word recovery phrase |
2 |
Blockstream Green servers |
2FA (same across devices) |
- |
3 |
Offline |
Your recovery phrase backup |
Secondary 24-word recovery phrase |
Tip: For extra security, you can set up a new wallet with Blockstream Jade, with one key stored on the hardware wallet instead of your mobile device or desktop.
2FA Protection and Sending a Transaction
When sending funds from your wallet, will require a signature from two keys:
- Key 1: On your device, protected by PIN.
- Key 2: On the Blockstream servers, protected by 2FA.
If you do not have 2FA set up in your wallet, key 2 will automatically sign any transactions signed by key 1.
Note: You must make at least one transaction every 12 months (depending on your timelock settings) to ensure that your account is secured by 2FA.
2FA Protection and Recovering an Account
If you lose access to your 2FA method or the Blockstream Green service becomes unavailable, the account recovery process differs depending on the type of account you are using:
Account |
Bitcoin |
Liquid |
2-of-2 |
Uses CheckSequenceVerify (CSV)* |
Uses CheckSequenceVerify (CSV) |
2-of-3 |
Uses a third backup key |
N/A |
Bitcoin 2FA Account Recovery (CheckSequenceVerify)
Note: On Monday, January 25th, 2021, Blockstream Green switched its timelock script from nLocktime to CheckSequenceVerify (CSV) for the timelocks used in Multisig Shield wallets for Bitcoin 2-of-2 accounts. This article describes the new CSV timelock behavior. If you used Blockstream Green before January 25th, some funds in your wallet might still be secured by nLockTime. Read this article for more information on how nLockTime timelocks work.
With CSV, transactions sent to your wallet are assigned a timelock period; by default, this time period is set to 51,840 Bitcoin blocks, or around 360 days. Once the timelock period expires, the funds can be spent only with the user key, instead of the usually required two signatures.
This means that during the first 360 days after you receive a transaction, you will need two keys to spend the funds received. After 360 days have passed (or more specifically, after 51,840 blocks have been mined) during which you have not moved the funds, you can spend them without 2FA authentication using solely the key on your device (or using our open source recovery tool in case the 2FA service is permanently terminated).
To ensure that your wallet is always secured by 2FA, the app will prompt you to reactivate the 2FA by redepositing any funds that haven’t moved for the duration of the timelock period.
Liquid 2FA Account Recovery (CheckSequenceVerify)
Liquid Standard account recovery uses the same method as Bitcoin standard accounts, the only difference is that the CSV timelock period is set to 65535 Liquid blocks (the maximum value), roughly 45 days.
After the timelock period expires, if you have not made any transactions from your account, you can spend your funds using only the key on your device (or the open source recovery tool).
Bitcoin 2-of-3 with 2FA Account Recovery (Backup Key)
With 2-of-3 accounts, at any time you can immediately access your bitcoins without 2FA by combining your third backup key with the key on your device (there is no timelock period). You can use the garecovery tool to spend funds in 2-of-3 accounts.
Unlike standard accounts, 2-of-3 accounts do not require regular redeposits.