For the single-sig, all secrets are in one place at the point of signing. So you are more vulnerable to tampered devices and $5 wrench attacks.
I actually think the backup complexity is not too bad. Multi-sig has the xPub set, but ultimately both require 4 secure locations if you want redundancy (2 for each key). The main problem with the xPub backup IMO is privacy (an attacker can see your balance), so single-sig wins there.
Counterintuitively, a 2-of-3 multi-sig is easier to backup here because you only need 3 locations (the redundancy is "built-in"). I can't think of a reason why you'd want a 2-of-2 multi-sig for storing funds.
Alternatively you could just roll with single-sig + passphrase, where the passphrase is memorised + has one physical backup (so again 3 locations total). IMO this is a good middle ground for people uncomfortable with multi-sig and far superior to single-sig fragmentation because it's a recognised standard and also gives you plausible deniability (the seed-only wallet acts as a decoy). The passphrase should be sufficiently complex (6 - 8 words taken from the BIP39 word list would be good).
One downside of the passphrase compared to a 2/3 multisig is you don't have any redundancy. If you loose your passphrase, you loose your Bitcoin. In a 2/3 multisig if you loose a sig you don't loose your Bitcoin.
You did a great job listing the pros of a passphrase, just wanted to throw out the con I thought of.
reply
100%
Personally I roll with multi-sig these days but it took me a while to upgrade from single-sig + passphrase.
reply
Thanks for the single-sig passphrase idea. I haven't played with passphrases at all, probably worthwhile.
reply