Accounts that require two or more keys to sign a transaction (requiring a certain permission), commonly referred to as multisignature accounts, are generally used to store funds securely and are without a doubt a very exciting EOS feature. But how do multisignature accounts work, how do you sign transactions with different keys and how can you set up a multisignature account yourself? We will explain all aspects of multisignature accounts on EOS in this article.

Structure of a default EOS account

Before we start explaining multisignature accounts it is important to understand (the structure of) default EOS accounts first. If you would like to fully understand EOS accounts, read our comprehensive guide here. If you would only like to learn about the default structure of an EOS account, read the explanation below.

Every user has one or more accounts on the EOS blockchain. EOS accounts are human-readable identifiers that are stored on the blockchain and they are required to push any (valid) transaction to the EOS blockchain.

EOS accounts are 12 characters long and can contain the letters a-z and the digits 1–5. These account names replace the long and clumsy wallet addresses that are used in most cryptocurrencies.

Furthermore, every EOS account has permissions. Permissions can be seen as requirements which need to be fulfilled in order for a transaction to go through. Each permission has certain actions associated with it. A default EOS account has 2 native permissions:

Owner: shows ownership of the account and is needed to make any changes to the ownership the account. The key for this permission is best kept (safely) offline, as it is not needed to do most things on the EOS network.

Active: used for transferring funds, voting for producers and making other high-level account changes.

Besides these 2 native permissions you can create new, custom, permissions that fit your needs.

Each permission has one key associated with it. Each key associated with a permission has a certain weight, and each permission has a certain weight threshold which needs to be met before a transaction requiring that permission is accepted.

Visualization of a default permissions structure. (Source: EOSIO Developer Portal)

To help you understand all of this information we have included the above image, which visualizes the permissions structure of a default EOS account. As you can see, the owner permission has a default threshold of 1, and 1 key with a weight of 1 associated with it. The same goes for the active permission which has a default threshold of 1, and 1 key with a weight of 1 associated with it. This means that only the (private) key associated with the owner or active permission is required to perform any transaction requiring the owner or active permission.

The (private) key associated with the owner permission is often referred to as the owner key, whereas the (private) key associated with the active permission is often referred to as the active key.

How multisignature EOS accounts work

Now you are familiar with (the structure of) default EOS accounts, it’s time to learn about multisignature EOS accounts. Multisignature EOS accounts function similar to default EOS accounts, the main difference between the two is the permissions structure. In a default EOS account all permissions have a threshold of 1 and only have 1 key with a weight of 1 associated with it, whereas the permissions in a multisignature EOS account have a threshold of 2 or higher and have multiple keys with (possibly) varying weights associated with them. This also means that multiple keys will have to sign any transaction from the multisignature EOS account.

Visualization of a multisignature permissions structure. (Adapted from: EOSIO Developer Portal)

An example of a possible permissions structure in a multisignature EOS account can be seen in the image above. Just like the default account described earlier, this account has both the owner and active permission.

However, the owner permission in this multisignature account has a threshold of 3 and has 3 keys associated with it: The active key from John’s account, which has a weight of 2, the active key from Bob’s account, which has a weight of 1 and the active key from Stacy’s account, which also has a weight of 1. This means that to execute any transaction requiring the owner permission both John’s active key and either Bob’s or Stacy’s active key would have to sign the transaction before it is executed.

The active permission in this multisignature account has a threshold of 2 and has 3 keys associated with it. The active key from John’s account, which has a weight of 1, the active key from Bob’s account, which has a weight of 1 and the active key from Stacy’s account, which also has a weight of 1. This means that to execute any transaction requiring the active permission (any combination) of 2 of the active keys would have to sign the transaction before it is executed.

Creating a multisignature EOS account

Now you are familiar with how multisignature accounts it’s time to learn how to create a multisignature account yourself. Before you are able to create a multisignature account, you need to create a default EOS account first, which you will then turn into a multisignature account. If you do not have an account yet, you can follow our guide on how to create one here. Once you have an account, you can continue.

Keep in mind that changing the permissions structure of your account might render your account inaccessible and unrecoverable, proceed with caution.

In this example we will create an account which can be shared with a friend. It will have the following permissions structure:

Permissions structure of our example account. (Adapted from: EOSIO Developer Portal)

In this example the owner permission has a threshold of 2 and has 2 keys with a weight of 1 associated with it The active key of your own account and the active key of your friend’s account. This means that in order to perform any transaction requiring the owner permission both you and your friend would have to sign the transaction with the active key before it is executed.

The active permission has a threshold of 1 and has 2 keys with a weight of 1 associated with it. The active key of your own account and the active key of your friend’s account. This means that in order to perform any transaction requiring the active permission either you or your friend would have to sign the transaction with the active key before it is executed.

Let’s start updating the permissions structure to turn this account into a multisignature account. We will be using EOSToolkit for this tutorial. Navigate to the ‘Advanced Permissions’ page which you can find here. Then connect the account you are going to update by clicking ‘Attach Account’ on the top left and verify the connection using Scatter.