-Feb-15-2023-02-29-15-7102-PM.png?width=120&height=40&name=Untitled%20design%20(8)-Feb-15-2023-02-29-15-7102-PM.png){kind=small}
Security best practices for Casa members
This article applies to all Casa members and covers the foundational digital security practices that protect your Casa vault and your broader online presence. These recommendations complement the security already built into your Casa vault and are relevant regardless of which membership level or vault type you use.
TL;DR — Five practices significantly improve your security as a Casa member: use a password manager for every account, enable two-factor authentication (2FA) everywhere with a hardware key or authenticator app rather than SMS, protect your phone number from SIM-swap attacks, consider using a VPN for internet privacy, and perform regular health checks (verifying that each key in your vault is accessible and functional). Your Casa vault already protects your bitcoin through multisig (requiring more than one key to authorise a transaction), but these additional habits defend the broader digital environment around your vault.
Why these practices matter for self-custody
Casa is a non-custodial service — Casa does not hold, control, or have the ability to move your bitcoin or ether. Your vault is protected by multiple keys, and only you hold enough of them to authorise a transaction. The Casa Recovery Key, which Casa holds offline on your behalf, cannot be used alone to move your funds. This design means you are in full control of your digital wealth, but it also means that your personal digital security habits directly affect the safety of your vault.
The practices below protect the devices, accounts, and communications that surround your vault. A strong password on your email account prevents an attacker from intercepting a health check email. A hardware-based 2FA token prevents a stolen password from being enough to access your Casa account. A SIM-swap-resistant phone plan prevents someone from hijacking your phone number to intercept verification codes. None of these threats can break your multisig vault on their own, but layering good security habits on top of your vault's built-in protections makes the overall system far more resilient.
1. Use a password manager
A password manager generates, stores, and autofills strong, unique passwords for every account you use — from your email and banking to your Casa account and hardware device manufacturer portals. Without one, most people reuse the same handful of passwords across dozens of services. If any one of those services is breached, every account sharing that password becomes vulnerable.
A password manager also gives you a secure place to store your hardware device PINs. Rather than writing a PIN on a sticky note or trying to remember it, you can record it in an encrypted vault that is protected by a single master password and, ideally, a hardware 2FA token.
Recommended tools: 1Password and Bitwarden are both reputable, independently audited, and available on mobile and desktop. Choose whichever fits your workflow — the important thing is that you use one consistently.
For more on setting one up, see: Why you need a password manager — and how to set one up.
2. Enable two-factor authentication (2FA) on every account
Two-factor authentication adds a second step to your login — something you have (a hardware key or a code from an app) in addition to something you know (your password). Even if an attacker obtains your password through a breach or phishing attack, they cannot access your account without the second factor.
The strongest form of 2FA is a hardware security key like a YubiKey. You plug it into your computer or tap it on your phone, and it cryptographically proves your identity. No code to type, no code to intercept. If a YubiKey is not practical for every account, an authenticator app such as Google Authenticator or Authy is the next best option — it generates time-based codes on your device that are far more secure than SMS.
Enable 2FA on your email account first (this is the single most important account to protect, because password resets for most services go to your email), then your Casa account, then your bank, exchange accounts, and social media.
Critical: Do not use SMS text messages as your 2FA method. SMS is vulnerable to SIM-swap attacks (see below). If an account only offers SMS-based 2FA, it is still better than no 2FA at all — but switch to an app or hardware key the moment the option becomes available.
3. Protect your phone number from SIM-swap attacks
A SIM-swap attack is when an attacker convinces your mobile carrier to transfer your phone number to a SIM card they control. Once they have your number, they can receive any SMS verification codes sent to it — including codes for accounts that use SMS-based 2FA. This is one of the most common attacks against cryptocurrency holders.
To reduce your risk, contact your wireless carrier and ask them to add a separate PIN or passphrase to your account that must be provided before any changes can be made — including number transfers and SIM replacements. Most major carriers offer this. Additionally, avoid using your real phone number for public-facing accounts whenever possible, and never use SMS as your 2FA method for any account related to cryptocurrency or significant financial value.
Casa's multisig vault design means that even a successful SIM-swap attack cannot move your funds — an attacker would still need access to your hardware key and the signing quorum (the minimum number of keys required to send bitcoin). But protecting your phone number prevents attackers from gaining a foothold they could use to attempt further social engineering.
4. Consider using a VPN for internet privacy
When you use the Casa app or access your vault through a browser, your internet service provider (ISP) can see that you are connecting to Casa's servers. The traffic itself is encrypted — your ISP cannot see your vault balance, your transactions, or your keys — but they do know you are a Casa user. If you are concerned about this level of visibility, a VPN (virtual private network) routes your traffic through an intermediary server so that your ISP only sees a connection to the VPN provider, not to Casa.
A VPN is not a silver bullet — you are still trusting the VPN provider not to log your activity. For most members, a reputable VPN provides a meaningful improvement in privacy without significant complexity. For members who want stronger privacy, configuring a Tor client is another option — see Internet privacy basics for bitcoin holders for more detail.
Reputable VPN providers include: NordVPN, Private Internet Access (PIA), and Mullvad. Look for providers that have been independently audited, do not keep connection logs, and allow anonymous payment.
5. Perform regular health checks
A health check is the process of verifying that each key in your Casa vault is accessible and functional. The Casa app will prompt you to perform health checks on a regular schedule, and you should complete them promptly. A health check confirms that your hardware device is working, that it can communicate with the Casa app, and that the key stored on it is intact.
Health checks are especially important after any change to your setup — such as updating your hardware device's firmware, switching phones, or moving to a new location where your hardware device is stored. If a health check reveals an issue with one of your keys, you can perform a key rotation (replacing one key in the vault with a new one) while you still have access to the remaining keys in your signing quorum.
For instructions, see: What is a health check and how does it work?
Going further
The five practices above cover the most impactful steps for most members. If you want to go deeper, these articles cover additional security topics:
- How to detect and avoid crypto scams — what Casa will and won't do — recognise phishing, impersonation, and giveaway scams.
- Internet privacy basics for bitcoin holders — VPN, Tor, and other privacy tools in detail.
- Wealth Security Protocol — Casa's comprehensive approach to key management and threat modelling.
- How to use a Passkey for Casa two-factor authentication — setting up Passkey-based 2FA for your Casa account.
- Casa verification codes — how in-app identity verification works — for Premium and Private Client members.
Need security advice for your specific setup?
If you have questions about how to apply these practices to your situation, or if you believe your security may have been compromised:
Standard members: email help@team.casa with a description of your concern.
Premium and Private Client members: reach out to your dedicated Client Advisor directly. Premium and Private Client memberships include periodic security reviews where your advisor can help you assess and improve your overall security posture.