not really on topic, but going from not having backups at all to max security isnt necessarily the best way.
you cant have it without some downsides or inconveniences and you have to make sure they are ok for you or your friend.
for example 2-factor auth is nice, but you better dont lose your yubikey or be certain, you will have access to that email address virtually forever.
online wallets are convenient, but what if they vanish? how much work is it to get your wallet running at another service? can your friend handle that alone?
doesnt mean its not the best solution for your friend. but a desktop client with encryption and backups might work just as well. might be a good time to introduce him to the magic power of backups anyway
I told him, over half a year ago, when he bought his BTC - "encrypt and backup".
At the end, it's a matter of personal responsibility. He did ask me to hold on to his BTC for him, but I didn't want to take the responsibility ... it's enough responsibility holding my own BTC, would hate to lower someone else's.
