Dual-control approvals: no one person can move the money.

The most expensive security failures are rarely a broken algorithm. They're one person — coerced, phished, impersonated, or simply mistaken — being able to do something irreversible alone. Dual control fixes that by refusing to let a single approval be enough. Helix can require N-of-M trusted sign-offs before a high-value action goes through: a large transfer, sharing a vault, disabling a defense. The action waits until a quorum of the people who should agree actually do. Here's how it works, the threat it shuts down, and where it does and doesn't help.

1. What dual control actually is

Dual control is an old idea from the highest-stakes corners of security: no single individual should be able to perform a critical action alone. The two-person rule on nuclear launch keys is the famous example, but the principle runs through bank vaults, wire rooms, certificate authorities and safe-deposit boxes. The logic is simple and durable. If one person can do the thing alone, then compromising, coercing, bribing, or impersonating that one person is enough to make the thing happen. Require two — or three, or four — independent people to agree, and the attacker's job multiplies: they now have to subvert every one of them, at the same time, without any of them raising the alarm.

What's changed is where the high-stakes actions now live. They aren't just physical keys anymore; they're digital. Moving a large sum, granting someone access to a shared vault of credentials and documents, exporting a wallet, or turning off a security control — these are all single-click operations on a phone or laptop, and historically they've all required exactly one person's say-so. Dual control brings the two-person rule into that digital world: the click is no longer the end of the decision, it's the start of a request that needs a quorum to complete.

2. N-of-M, in plain terms

The flexible version of dual control is N-of-M. You designate a set of M trusted approvers, and you decide how many of them — N — must approve before a given action goes through. A few concrete shapes:

• 2-of-2. Both designated people must approve. Strongest, but if one is unreachable, nothing moves. Good for two-principal partnerships.
• 2-of-3. Any two of three approvers suffice. This is the sweet spot for most groups: a single compromised or coerced person can't act alone, but you don't grind to a halt if one person is on a plane.
• 3-of-5. A board, a fund's signatories, or a family's trustees. A majority must agree, and you tolerate a couple of people being unavailable or, in the worst case, one being compromised.

The art is choosing N and M for the real failure you fear. A higher N resists coercion and compromise better but is more fragile to people simply being unreachable; a lower N is more resilient to absence but easier for a single bad actor or a single stolen device to satisfy. The point of making it configurable is that "how much agreement does this action deserve?" is a business decision, not a technical default — a routine reimbursement and a nine-figure transfer should not require the same quorum.

It's also worth thinking in terms of tiers rather than a single global rule. The most workable setups gate different actions at different thresholds: small, routine operations need one person; medium ones need two; the truly irreversible — a transfer above a large ceiling, a vault shared with a new party, a defense disabled — needs three. That graduated approach keeps friction proportional to risk, so the quorum never becomes the thing people resent and quietly route around. The failure mode of any approval system is users finding a way to avoid it; matching the burden to the stakes is how you keep the control alive instead of letting it ossify into a box-ticking ritual everyone has learned to ignore.

3. Which actions should need a quorum

Dual control is friction, and friction belongs on the actions where the downside is catastrophic and irreversible — not on everyday use. The actions worth gating typically fall into three buckets:

• Moving value. A large transfer, a wallet export, a withdrawal above a threshold, signing a transaction over a certain size. The irreversibility of money — and especially of crypto — is exactly what makes a second pair of eyes worth the delay.
• Granting access. Sharing a vault, adding a new member to a sensitive group, exporting credentials, or handing someone the keys to documents. These don't lose money directly, but they widen the blast radius of every future compromise.
• Weakening defenses. Disabling a security control, turning off the dead man's switch, removing an approver, or lowering a threshold. An attacker's first move after gaining a foothold is almost always to switch off the thing that would catch them — so the act of switching it off should itself require a quorum.

That last category is the one people forget and the one that matters most. A defense that any single compromised account can silently disable isn't a defense; it's a speed bump. Putting dual control around the controls themselves means the attacker can't quietly disarm you before striking — they'd have to subvert the whole quorum just to remove the obstacle, which is the entire point.

4. How an approval flows

The mechanics matter, because a clumsy approval flow just trains people to rubber-stamp. A well-built dual-control flow looks like this. Someone initiates a gated action — say, a large transfer. Instead of executing, the action enters a pending state and a request fans out to the designated approvers over a channel they trust. Each approver sees exactly what they're being asked to authorize: who initiated it, what the action is, the amount or scope, and the destination. They approve or decline from their own device, with their own authentication — not by telling someone "yeah, go ahead," which is forgeable, but by cryptographically confirming on hardware only they hold.

The action only completes once N approvals are gathered; until then it sits, and it can be declined or left to expire. Crucially, the approval is bound to the specific action and its details, so an attacker can't get a sign-off for a small transfer and quietly swap in a large one. Each approver is approving that exact request, not a blank cheque. The whole exchange rides Helix's encrypted channel, so the request and the approvals can't be read or tampered with in transit, and there's a clear record of who approved what — which is its own deterrent against insider mischief.

5. The threat it shuts down

Dual control is aimed squarely at the attacks where a single point of authority is the weakness. Consider the ways money and access actually get stolen at the top end:

• The compromised device. A principal's phone is infected or unlocked by an attacker. Without dual control, that one device can authorize everything. With 2-of-3, the attacker holds one approval and still can't move — they'd need to compromise a second, independent person at the same time.
• The phished or impersonated employee. A finance staffer gets a convincing instruction to wire funds. Dual control means their single action isn't enough; a second approver, who didn't receive the same phish, has to independently agree — and is far more likely to ask "wait, what is this?"
• The rogue insider. Someone with legitimate access decides to take what isn't theirs. A quorum requirement means they can't act alone and can't act invisibly; they'd have to recruit co-conspirators, which most won't risk.

In every case, the common thread is that the attacker has subverted one point of control and dual control denies that it's enough. The defense doesn't assume your people are dishonest or your devices are clean — it assumes that any single one of them might fail, and refuses to let that single failure be sufficient. That's the same humility that runs through good security generally: don't bet everything on one thing not breaking.

There's a subtler benefit that's easy to miss: dual control changes behavior before any attack, not just during one. When people know a second person will see and have to approve a significant action, they prepare it more carefully, document it more clearly, and think twice about anything that wouldn't survive a colleague's glance. The quorum becomes a quiet check on haste and on the kind of "just this once" shortcut that precedes most disasters. And when something genuinely goes wrong, the record of who approved what gives you a clean, tamper-resistant account of how the decision was made — invaluable for the post-mortem, and a powerful deterrent against the insider who'd rather not leave fingerprints. The control protects you twice: once by stopping the lone bad action, and again by making every gated action deliberate and attributable.

6. Coercion, deepfakes and the lone signer

Two modern threats make dual control more relevant than ever, not less. The first is coercion — the "wrench attack," where an adversary simply forces a person to authorize a transfer at the worst moment. If that person can act alone, the coercion succeeds instantly. If the action needs a quorum, the coerced individual genuinely cannot complete it without others who aren't in the room and aren't under the same threat — which both protects the assets and removes the incentive to coerce that one person, since they're not a single point of failure.

The second is impersonation and deepfakes. A cloned voice on a call instructing a junior to "process this now" has already cost companies real money. Dual control breaks the attack because authorization isn't a voice or a message that can be faked — it's a cryptographic approval from a specific device held by a specific person, and you need N of them. A convincing deepfake of one principal cannot manufacture the independent sign-offs of the others. Pairing dual control with a verified secure channel for the request itself closes the loop: the people approving know the request is real, and the request can't proceed without enough of them genuinely agreeing.

7. Who this is for

Dual control earns its friction wherever a single authorization controls something large and irreversible:

• Family offices. Multiple principals, advisors and trustees, large and irreversible movements of wealth, and a strong desire that no single person — staff or family — can act alone. N-of-M maps directly onto how these structures already think about governance.
• Funds and investment partnerships. Capital calls, redemptions and large transactions that demand a quorum of signatories. Dual control enforces in software the sign-off rules that otherwise live in a partnership agreement nobody checks in real time.
• Joint accounts and partnerships. Two or more people who genuinely share control and want the software to reflect that neither can move significant value without the other knowing and agreeing.
• Crypto whales and treasuries. Where transfers are irreversible and theft is final, requiring multiple independent approvals before a large transaction is the difference between a contained incident and a total loss.

8. How Helix does it

Helix lets you define a set of trusted approvers and require N of them to authorize designated high-value actions before they complete. You choose the quorum that fits the stakes — 2-of-3 for a working partnership, 3-of-5 for a board or family — and you choose which actions are gated, from large transfers to sharing a vault to disabling a defense. A gated action enters a pending state, requests fan out over the encrypted channel, each approver confirms from their own device with their own keys, and only a genuine quorum lets it through. Because the approvals are bound to the specific action, no one can get a sign-off for one thing and substitute another.

Dual control sits alongside the rest of the suite rather than standing alone, and that's deliberate. The same encrypted transport that protects your messages carries the approval requests, so they can't be read or forged in flight. The dead man's switch and the device shield cover failure modes dual control doesn't — and dual control returns the favor by making sure those defenses can't be silently switched off. The honest framing is that dual control removes the single-approver weakness specifically; it doesn't replace device security, encryption, or good judgment, and it isn't meant to. Each layer is there because the others can't do its job.

9. The honest limits

Dual control is powerful and narrow, and it's important to be clear about both:

• It's only as strong as the independence of the approvers. If the same attacker compromises enough approvers' devices at once — or if N is set too low — the quorum can still be satisfied maliciously. Independence is the whole assumption; choose approvers who genuinely can't all fall at once.
• Availability is a real trade-off. A high N protects you better but means the action stalls when people are unreachable. Set the quorum for the failure you actually fear, and have a sane plan for losing access to an approver.
• It doesn't secure the device or the channel by itself. Dual control assumes the approval comes from the real person on a trusted device over a trusted channel. If a phone is fully compromised, the attacker may be able to act as that approver. That's why it pairs with device-level defense, not replaces it.
• It governs the action, not the wisdom of it. A quorum can still collectively approve a bad transfer. Dual control stops a single point of failure; it doesn't stop a group from being fooled together. It buys you a second look — use it.

Within those limits, dual control does one thing exceptionally well: it makes "one compromised, coerced, or impersonated person" insufficient to do the irreversible thing — which is exactly where the worst losses come from.