Guardians on MultiversX are an on-chain 2FA co-signer for your wallet: once enabled, every transaction from your account must also be signed by a designated “Guardian,” blocking thieves even if they have your seed phrase.
How it works (high level)
You set a Guardian for your address, then—after a mandatory cooldown—you “guard” the account. From that point, transactions include an extra guardian signature and won’t execute without it
If an attacker gets your seed, they still can’t move funds; at most they can request a Guardian change, which you can see and cancel during the cooldown window.
Two common ways to use it
Invisible Guardian (xPortal app): Your phone stores an encrypted, device-local Guardian that silently co-signs transactions. Setup requires enabling, waiting the cooldown, then activating. If you enable this, you’ll sign from xPortal (not by importing the seed into other apps).
2FA Guardian (Web/Extension): Use an authenticator-backed Trusted Co-Signer (TCS) that approves transactions after you confirm a 2FA code.
I’m just providing the information above for reference purposes. The goal for us is to provide some kind of extra layer of security for people in cases where seed phrases are stolen.
Without much understanding of how Guardians on MultiverseX work (yet?) beyond asking Claude and a few pointers, there are a few aspects that don’t seem to fit naturally/straightforwardly into the design of Tezos native multisig accounts. Notably, in MultiverseX’s guardians there is an implicit main-slave relationship between the keys:
the ability to rotate (“request”) a guardian change can be requested by the owner without 2FA (or a threshold of guardians).
there is an implicit recovery mechanism that might have different rules than spend rules.
the main key sets everything up the first time.
With native multisig accounts you could indeed set up an enshrined (but very strict) 2FA with a 2-of-2 aggregation scheme, but once it is set, you will need both signatures to do anything (and there is no “cooldown”). If either of the keys is lost, you are forever stuck.
Also, If you set a threshold native multisig account there is no direct way to distinguish from the main key and the guardian key: a threshold native multisig account cannot be (directly) set up so that you can sign with main + a threshold of 2FA
But maybe something can be explored using a hybrid setup combining native multisigs and moving part of the business logic to smart contracts (to implement the guardian rotation and the cooldown).
