I think this is a great option for the less tech savvy to be able to have something close to cold storage and it's great that coinbase is leading the way on this. W/o discounts for buying w/ BTC and wallet services that are impervious to theft, you won't have mainstreet coming anywhere near crypto aside from bulls orchestrating panic buying frenzies.
This is an incredibly complicated non solution for a simple matter of a 50 some digit number.
It also has elements of danger in it, based on the specific (unknown, unknowable likely) internals of accounting on the coinbase side.
Here is my take on it.
"I'm worried! I have a 54 digit number that is my private key. Someone could find it! Someone could take all my money!"
"No problem, I have just the solution for you. Trust me. Just get MORE PEOPLE INVOLVED WITH YOUR PRIVATE KEY!"
.....
Really?
It is multi-sig, not just a single private key on a user's desktop and on their hard drive where if either system is compromised then it is gone. Because the private key is split and then divided into multiple places it is actually more safe because now multiple computers have to be compromised. It isn't exactly trusting more people with your private key, it is trusting more people with part of your private key. Meaning multiple places now have to be compromised instead of just one.
Take the famous Klee hack a couple months ago. He had the private keys on a file on his desktop. Over 1 million USD worth of coins were stolen. The only thing that didn't get stolen were the ones with 2FA. That is because the process of transferring the money was divided up between multiple computers (or in his case a computer and phone) so the hacker couldn't get to some of his funds.
As one poster said with Coinbase's new system a hacker will now have to
1. gain access to your regular password
2. gain access to your phone for 2FA (if this is enabled and it should always be enabled on any site when possible)
3. gain access to your vault passphrase
4. gain access to your phone again for 2FA
5. then have the original owner of the account not get any of the test messages or emails sent by Coinbase asking to cancel the transaction with a single click.
After 48 hours if the owner of the account owner hasn't canceled the transfer, then and only then it goes through.
To me this combination of steps that a hacker must now go through seems to make it just about impossible, less somebody is actually held by force against their own will.
This is just for the normal multi-sig account. They have another that a person can set up where Coinbase doesn't even have a single key and multiple outside computers controlled by the client would have to be compromised.
The 2nd possible route for a person to lose their funds is for a person to find the private keys and public keys (all are needed) printed up and theoretically well hidden by the client. Then also discover the exact pass phrase for decoding the vault's key which had been encrypted with the passphrase. Then download the opensource program from Github and use it to transfer the funds. This again would take such a serious combination of skillset. A skill set that would include intelligence, physical theft, and hacking knowledge. It is easy to find a person that has one of these, but not all three. It again is very unlikely.
The last way a person could get to the coins that I have found out about is a person's computer is compromised when setting up the vault. That is all a hacker need in that scenario. It is by far the weakest and easiest target, but for this to happen a hacker needs to know that a client will create a vault on a certain computer and be sitting around waiting for that to happen hoping the client along the way doesn't notice the computer is compromised. The easiest way to thwart this too, which is very easy is to boot with an Ubuntu live DVD, log into Coinbase and create the vault. The hardest part of that is that Coinbase doesn't (yet) support Firefox when making the vault but will soon so in addition to booting with Ubuntu, then a person will have to install Chrome on Ubuntu before setting up the vault. And while this part is starting to get complicated, it is by no means nearly as complicated as securely creating cold storage which again involves creating keys on an offline computer running a fresh copy of Linux with a fresh Bitcoin wallet/program/client installed and then transferring them to a live computer, a process that has to be repeated each and every time for each transaction.
