Javascript to generate a bip39 seed (its encoded as words) and have them write this down when they create their account - they'll never have to touch it until your company closes. You get the public key sent during submission. All addresses in for this user will be 2-of-3, where its [sites_key, users_key, backup_key].
Otherwise, you could instead use a deterministic chain, such as BIP32, and this is used to create the users backup_key. Give the user a copy of the extended public key, and then if your company closes, give the seed to this chain. Everyone can import the key, but only sign transactions relating to their address.
Exactly what I was thinking except for 2 major differences:
1. The business model of no-trust has to work both ways. If the user places a bid into one of the multi-sig addys, I want to know he's not going to try and time a send away from the addy before we can collect it and he wants to know that I can't just take his bitcoin and do whatever I want with it. But at the same time, if we crash and burn permanently, I want the third seed to go to him so that he can generate his 2nd addresses and receive any funds in any of his multi-sig addys with us.
2. In order to do this, it is required that #1 we don't know the seed, #2 customer doesn't know the seed. So I was thinking of creating an autonomous, open-source deadman switch that anyone can verify should work properly. This software would create a seed, then derive a master public key, send the master public key to our service for us to hold for them and make their public keys to use for multi-sig addy creation. This software would also encrypt the seed along with an Win / Mac / Linux executable that would streamline the process of retrieving funds for the "what's a multi-sig?" crowd of investors who might not be to keen on the tech. In the event of a failure on our end, the deadman switch initiates, and each user will receive an e-mail with their encrypted seed and they use our script/executable (which would probably just use AES or something openly available anyways) with a password to decrypt and retrieve funds. Of course we also have a method of releasing the deadman switch to the user in case they lose their seed... but this will unlock the deadman's switch using their password, and automatically create a new 3 seed pair and automatically send all funds to the 1st multi sig addy on that.
Because of this, I think using a BIP32 chain wouldn't be viable, as we would need 3 separate seeds, 2 that we don't know, 2 that they don't know, and 1 that we both don't know. If we just derived different chains of the same seed, someone would know more than one.