Passwords, 2FA, and Your “Digital Legacy”

I’ve been using 1Password for some time to track passwords in our family, and it’s been helpful at getting us all to use long, random-character passwords, which is a Good Thing. And for many of our “mission critical” sites – banks, that kind of thing – we’ve enabled two-factor authentication, or 2FA.

But this creates a problem.

Most websites with 2FA want to text a code to your cell phone, which is fine. It’s convenient, and my phone is obviously a “token” I often have with me. If I lose my phone, it’s certainly inconvenient, but it can be replaced and the phone number transferred. I take care to lock my phone (using it’s Touch ID feature), so it’s reasonably protected against unauthorized use.

But I’ve recently been thinking about what would happen if I got hit by a bus, so to speak. Or worse, if my other half and I went down on a plane, or something equally catastrophic. How would our family get to all that information, passwords, and so on? Transferring the phone number of a dead person to a new device, so that you can access their accounts, is non-trivial.

We’d identified all this as a problem previously, and taken some steps to deal with it. Our main concern was providing access to key information to our successors, while ensuring they didn’t have ad-hoc access without our knowledge.

Here’s what we’d set up: We created six sheets each containing a selection of eight numbers and letters, all drawn from a 12-character pool. Each sheet contained a different selection of eight characters, and these sheets were distributed to close friends and family members. Our successors were then given instruction sheets, which were useless without all 12 characters from the pool. All 12 characters could be derived by calling any combination of our six “PIN holders.” With all 12 characters in hand, they could decide our house combination locks, fire safes, and so on. Within one fire safe was a PIN-protected USB flash drive, containing all our key documents. This was clever, but hardly convenient to keep updated. If I didn’t remember to dump 1Password to the USB flash drive every so often, the whole scheme would be wasted.

It was clearly time to try something smarter, while perhaps leaving the old cloak-and-dagger plan in place as a backup.

My first step was to switch to LastPass. Within the family, we can still sync passwords in real-time. And like 1Password, we can load in “Secure Notes” containing insurance policy information, locations of key hardcopy documents, etc. But LastPass also has an “Emergency Access” feature. This enables us to “trust” one or more individuals – like an executor or distant family member. They can, in a time of need, request access to our LastPass vault. They don’t get it immediately – we’ve set a several-days wait period, during which we’ll be notified of the request and given a chance to cancel it. This keeps someone from requesting access maliciously. Once the timeout expires, they’re “in,” and have everything they need. LastPass also contains our combination codes for the house safes, copies of key documents like wills and trusts, and so on.

The next step was to deal with 2FA, which was still a problem. For many sites, we could generate backup codes that would let someone access the account without needing the 2FA. So those backup codes, when available, went into LastPass. For other sites, I was able to switch 2FA to the Authy app. This is way better than Google Authenticator, but supports Authenticator tokens. It’s better because they keep a backup of those tokens, encrypted using a password only I – and LastPass – know. This gives a successor the ability to install Authy, sign in as me, provide my backup password, and gain access to those 2FA tokens. It’s a little roundabout, yes.

For any site offering 2FA, but only supporting SMS messages and not providing backup codes, I’ve made a choice: either shut off the 2FA or, if the site is really crucial, document in LastPass what’s going on. For things like banks, who already have established dead-person-successor policies, it’s less of a big deal. For others, I’ve shut off 2FA unless the site is really critical in terms of the information it stores and its importance to my life. In a couple instances, I’ve simply deleted my account on the site.

So I’m curious – what do you use to ensure your loved ones or successors will have access to your accounts if you die, or become too damaged to convey that information? How have you decided to deal with 2FA in those situations, particularly 2FA that relies on your cell phone – which might be difficult for a successor to obtain or access?