October 28, 2019

Make sure your loved ones can access your accounts when you no longer can

Make sure your loved ones can access your accounts when you no longer can

In previous posts in this series I covered how to create strong passwords, how to enable multi-factor authentication, and how to do this in such a way that you don't lock yourself out of your accounts.

One aspect I haven't dealt with yet is how you can make sure that your loved ones still can get access to your user accounts in case you die or when you are no longer available to access your accounts yourself.

In general people don't like to think about this, but it can save your relatives from a lot of troubles.

Create a simple step-by-step plan

It's important to document how to get access to your online accounts. This process should describe how a trusted person

  1. can get access to your passwords and other sensitive information
  2. can access your accounts

I deliberately split it out in 2 steps. Having access to someone's passwords doesn't automatically mean that you'll be able to login to their accounts. For accounts for which you have two-factor authentication enabled you should

  • describe how they get access to your smartphone ‌‌‌‌

or even better‌‌

  • whenever possible make sure that they don't need your smartphone (which might not be available anymore) to log in to your accounts. When available save two-factor authentication recovery codes for your online accounts (written down or stored in your password manager) and share them in a secure way with your loved ones. I'll give more info about this in the next section.

In this documentation it could be helfpul to explicitely describe how they can get access to your email account(s) because they can be used to reset or recover passwords for other accounts. Also don't forget to write down which tools you use, for instance which password manager and which authenticator app.

In any case, keep it as simple and clear.

Considerations to make depending on how you manage password security

Like we have seen in this post, using a password book or a password manager is a good way to manage your passwords. What's the best option for you depends on your technical knowledge and the particular security risks you might face.

Regardless of which of the two you use you must make sure to give at least one trusted person access.

When you use a password book you can just tell your loved ones where you keep your password book and they'll get immediate access to it.

For the accounts for which you have two-factor authentication enabled you could save the recovery codes in the same password book or write them down somewhere else.

If you use a password manager, depending on which one you use, there are different ways you can give people access. Some of them foresee emergency access functionality that lets you assign a list of trusted people who can access your password manager account after you die. This is the most elegant and secure solution because they will not be able to access your passwords when you're still alive.

If you use a password manager that doesn't provide this functionality, you can write down the access keys and document where they can be found. This is less secure, because it means that they could login to your password manager any time and access all your online accounts.

If you think this an unacceptable risk you could give parts of the access keys to different people such that only when they put these parts together they can gain access. Or you could write down the access keys in official documents that would go to your Executor.

Simulate the process

The only way to know if your relatives will be able to access your user accounts when you're no longer able to help them is by simulating the process that you have documented. This is certainly important when you're using tools like password managers or authenticator apps they might not have used before.

I'll give an example that hopefully make this clear.

Let's say you use a password manager for which you need to have a secret key and a master password to be able to log in. The scenario should be something like this:

  1. Let them install the password manager.
  2. Tell them to log in.
  3. When they are succesfully logged in to your password manager tell them to log in to a particular account for which you have enabled two-factor authentication. Preferably without having access to your smartphone, thus by using two-factor authentication recovery codes for that account.

If you're not using a password manager only step 3 is relevant to simulate. It's best to repeat this same scenario for a few accounts.

The necessary information for all these steps should have been described in your documentation. Take notes about what's not clear or missing and adapt the documentation accordingly. Maybe this simulation also highlights that you need to review your account security. For instance it might be that you haven't saved two-factor authentication recovery codes or (the answers to the) security questions to gain acces to a particular account without using your smartphone.

Note that if you don't want to share your password manager access keys while your alive you can log in yourself and just show them how it works.

Keep your step-by-step plan up to date

Make sure that the information in the step by step plan is up to date. When something fundamental changes in the way you manage your accounts it's also wise to do a new simulation.

Conclusion

Documenting how to access your accounts for when you're dead or no longer able to do it yourself might be not the most fun thing to do. But it's important for your loved ones. Keep this process as simple as possible for them and make sure to inform them where they can find the document. Also run through this scenario together with them to see if they understand how it works.

It could also imply that you need to apply some changes in the way you're managing your passwords or two-factor authentication at the moment.

That's it. More actionable security tips are for tomorrow. In the meantime stay safe online!