People who say “don’t use phones for your main Bitcoin savings” never make sense to me.

1/ Security matters: Phones have a much smaller attack surface and are designed with security in mind, unlike desktops burdened with legacy software and hardware. What's easier to crack—a Windows machine or an iPhone?
2/ Dedicated devices: If you're concerned about your main phone being out and about too much, get a second, dedicated phone for your savings. You should also use a dedicated desktop if you're truly serious about security. Avoiding phones but using a non-dedicated desktop filled with software means you don’t care about security as much as you think you do.
3/ Use multisig: If you set your wallet up properly, the phone should hold no private keys—only a watch-only interface. The wallet interface should be the *least* of your worries. Distributed multisig keys are your main defense. Focus your energy on securing the actual keys.
4/ Use a decoy wallet: If you can’t get a second phone, use a decoy wallet. You can use a decoy wallet even if you have a dedicated phone.

So don’t take bad advice, even from Bitcoiners. Think from first principles.

Don’t be stuck in the 20th century. DO use phones for your main Bitcoin savings. 

 P.S. Nunchuk ships both mobile and desktop apps, but IMO mobile is the future of Bitcoin self-custody. 

 imo mobile is gonna be dead in the water after we get one good global wireless network outage from an X20 solar flare 

 I don't think your key material should ever be on a device connected to the Internet  

 That’s what I said. The phone (or desktop) should be a watch-only interface. 

 i wish there was a proper USB detached signer device... some of the yubikeys support storing a secret and signing hashes with them but not the ones we need

just usb-a/usb-c interface on it would be enough for now, an NFC interface would be a nice extra... all it does is sign a hash, and keep the secret and execute a BIP-340 signature

an extra neat feature would be if you could have it store like 16 secrets on it and sign on any of them with the protocol specifying the signing pubkey... 

 absolutely not

main savings account should be on a separate device from teh one you carry around... 5$ wrench attack, at least put fucking locked doors in front of the access to the device, and be careful with its network security

cold storage is a separate thing, daily spending, sure, put that on a hot system, my personal recommendation is have something like an alby hub, which is moderately secure and hard to access where you have the bigger hot LN balance, and then you can zap easily to your mobile and browser (alby extension makes this pretty much seamless)

multisig is not going to help for hot storage, at all, you only want that for long term and cold storage, with cold storage the inconvenience is a feature 

 > main savings account should be on a separate device from teh one you carry around

That’s exactly what I said. Reread point 2. Not sure what you’re disagreeing about.

> multisig is not going to help for hot storage 

I’m NOT discussing hot spending wallets, I’m talking about main savings. (So your LN example also isn’t relevant here). 

 @Jameson Lopp thoughts ? 

 Generally agree, though I think folks are being far too optimistic about the practicality of decoy / duress wallets.

I wrote up my thoughts recently: https://blog.casa.io/can-duress-wallets-stop-bitcoin-attacks/ 

 Great ans instructive article ! Thanks sir. 

 I’m more optimistic on decoy wallets. Of cos they don’t address all types of attacks (no security feature ever does), but one can easily imagine how they can be useful *at least* in the case of non-targeted attacks, which will probably become more common when Bitcoin goes mainstream. It will not be unusual for a random person on the street to own Bitcoin.

The anecdote you cited about one victim refusing to give up anything and telling the attackers to shoot her: she might very well got lucky - she could’ve ended up dead.

At the end of the day, stories/anecdotes are just that. They don’t have predictive power. We don’t have substantial data on how many users have used decoy wallets, and how many have used it successfully or unsuccessfully.

TL;DR: Decoy wallets are just one tool in a large toolset. Writing them off based on a few data points seems a bit premature IMO. 

 Exactly - we don't have much data on this defensive measure and you can't predict how an attacker will react to being given a decoy wallet. I'm not a big fan of speculative security measures. 🤷🏻‍♂️ 

 In a perfect world, I’d agree with you.

But we don’t live in one. I mean take the entire defense industry for example. Many weapons, offensive or defensive, are speculative in nature: you don’t know how effective they are until they’re actually used in a war zone.