Web Wallet Guide
These wallets offer more security than the "Day to Day Spending Wallets," but sacrifice speed and convenience. You give up some control of your funds in these type of wallets because they help you protect your private keys. They reduce the chances that your funds will be stolen and in some cases eliminate the danger of you losing your private keys. However, they expose you to the risk of having a government seize your funds, the company going bankrupt, or the company getting hacked and losing your funds. Essentially, you are trusting a company and the country it is located in, with safeguarding your private key instead of doing it yourself.
Wallets in this category fall into two subcategories: Wallets that control your private keys for you and Multi-Sig Wallets
Wallets that control your private keys for you
These services allow you to create an account, and they handle all the technical "Bitcoin stuff" for you. They control your private key and have full control of your funds.
Both Coinbase and Circle offer users two factor authentication: a code is sent by text to a users phone and they need to enter that code in order to sign in and do key actions like sending Bitcoin out of the account. This offers additional security just in case your password is compromised. Alternatively, you can install the Google Authenticator app on your phone, sync it with your account, and the codes will appear in the app. This is more secure than sending the code by text and it works offline since the codes are time based.
Coinbase offers a "Vault" feature for no additional cost. Putting funds in the "Vault" add three additional security measures: all withdrawals have a 48 hour delay, email confirmations required from two email accounts, and the ability to add other individuals as co-signers to withdrawals. So even if somebody compromises both of your email accounts and a withdrawal is initiated, Coinbase will send you a text, and emails to both email addresses and you will have 48 hours to block it.
Circle offers insured deposits. The insurance covers all funds stored with Circle, but only if the theft or loss is their fault. This is of limited usefulness if your account password is compromised, but serves to protect you if they have a major security breach where a large amount of user funds are taken.
If you are American, both Coinbase and Circle allow you to buy and sell Bitcoin through them. They are not true exchanges, more like brokers, buying/selling off of exchanges and taking a %.
You don't control your private keys, so you don't control your Bitcoin. Coinbase and Circle can freeze your account and stop you from withdrawing your funds. If you controlled your own private keys and the website went down or your account was frozen, you could just upload your private keys into a different Bitcoin wallet and send your coins to a new address, with Coinbase and Circle you cannot do that.
Transfers out of Coinbase and Circle are not always instantly broadcast to the network. This is because all funds are held together in both a cold wallet and a hot wallet. The cold wallet never touches the internet so sometimes the hot wallet runs dry and needs to be replenished. This is a security measure to prevent a hacker from accessing all customer funds but it also means that when the hot wallet runs dry, transfers get delayed. This is why we recommend mobile wallets for iPhone and Android for "Day to Day spending," especially for in-person transactions where instant transactions are a necessity.
Unfavorable Bitcoin regulation in the host country of both Coinbase and Circle, America, could jeopardize funds stored on those services. This becomes less of an issue everyday, as Bitcoin gains legitimacy, an outright ban becomes more and more unlikely. That being said, the Bitlicense regulations proposed by the NY State Department of Financial Services are quiet strict and could set the model for future federal regulations.
Wallets that use Multiple Signatures
These wallets use a security feature that has been built in to the Bitcoin protocol: Multi-Sig. Essentially an address has more than just one private key and it requires a certain number of those keys to sign any transaction. If those keys are kept in different places or with different people, it can be an incredibly secure method of storing Bitcoin. This allows them to offer two factor authentication and other security features without having control of your funds.
The three services offer different variations of Multi-Sig:
GreenAddress: Uses 2 of 2 Multi-Sig, they hold one private key and you hold one private key and both private keys need to sign each transaction. This means that they can't steal your funds and that you can't lose your funds if your private key is compromised. However, if their service were to go out of business, you'd lose access to your Bitcoin since you wouldn't have their key to sign your transaction. To solve this, GreenAddress used another feature built in to the Bitcoin Protocol, presigned transactions (nlocktime). All funds stored with them are set to automatically forward to an address with a private key you solely control so if their service goes down or if you lose your 2 of 2 private key, you will still have access to your funds.
Copay.io is an open source Bitcoin wallet created by Bitpay with the goal of helping companies and individuals store Bitcoin securely without having to trust a third party. You can set the number of total co-signers and the number of
required signatures allowing you to adapt the service to your specific needs. Copay is currently in beta and should not be used for large amounts of funds.
BitGo: Uses 2 of 3 Multi-Sig, they hold one private key and you hold two private keys, with two of the keys needed to sign a transaction. The idea is that you stash one key somewhere extremely secure and then both your other key and BitGo's keys are used to sign transactions. This means that BitGo cannot steal your coins and that you can remove your funds from their service whenever you desire by using both of your keys.
Disclaimer: This guide is intended solely to provide information. As I have no knowledge of individual circumstances and technical level, readers are expected to complete their own due diligence before proceeding with anything mentioned in this article. The topics discussed in this post are advanced and readers proceed at their own risk. Readers are expected to complete their own due diligence before purchasing or selling anything mentioned or recommended.