As I discussed previously, everyone should be using a password manager to store their unique passwords for all their online accounts.

While it is nice and secure, it can certainly seem more difficult to pass along your passwords upon your death. If you had a little notebook with all your passwords on it, you wouldn't be facing this issue (though you would still need the notebook to survive the circumstances of your death).

Fortunately, password managers have solved this problem. Furthermore, there are ways of passing on your two factor authentication (2FA) methods as well.

Passing on Passwords

LastPass and Dashlane (but not 1Password) are online password managers that both offer emergency access. To enable it, you add trusted contacts, who must have an account with LastPass/Dashlane, to your account, and also set a time period. At any time (though intended to be used upon your death), your trusted contacts can request access to your account, which then sends you an email. If you do not reject the request in the specified time window, your trusted contact is granted access to your account.

This presents a very secure way for your loved ones to acquire access to your accounts upon your death, while ensuring that they are not able to obtain access while you're alive.

Passing on Two Factor Authentication

Passing on 2FA secured by text messages (SMS) is as simple as passing on your phone. Your loved ones wouldn't even need to be able to unlock your phone because they can simply remove the SIM and insert it into some other phone to receive your text messages.

Passing on Authenticator Apps

The simplest way here is to record your phone's unlock PIN into your password database and grant your loved ones emergency access. However, this requires your phone to survive the circumstances of your death.

Outside of passing on your phone itself, there are several different ways to pass on account access when using authenticator apps like Google Authenticator or Authy that generate six digit codes according to the Time based One Time Protocol (TOTP) for 2FA: generating one time codes, saving the QR code/shared secret, or storing the codes in a separate hardware token like a Yubikey and passing that on.

One Time Codes

Many services that offer authenticator apps also offer one time codes, which are intended to be used if you have lost your phone. If you can securely store these while also making them available to your loved ones, it will enable them to log in once (after which they should either disable two factor authentication, or more preferably, link the two factor authentication to their phone instead).

I store these one time codes in my wallet. However, I would not rely on this to pass on to my loved ones, as if I were to die in a fire, these codes would burn up. Also, keeping them in a safe place in my home again presents the same risk, although it can be mitigated by using a fireproof safe.

Saving the QR codes

As I mentioned previously, when you link your authenticator app with a service, it provides a QR code, which has a secret key embeeded within it. If you save the QR code images in a safe place, then your loved ones can easily link their authenticator apps to your accounts.

Saving the Shared Secret

Whenever you link a service to your phone's authenticator app, you have the option of saying show secret (or something to that effect) instead of scanning the QR code. Embedded in the QR code is what amounts to a password; it is from this password and the current time that the six digit codes are generated. If you save this shared secret into a password database that your loved ones can access, then they can generate your codes.

Using a Yubikey

With the Yubikey 4 NEO, it is possible to store up to 28 TOTP shared secrets and use the Yubikey to generate the six digit codes. On a computer or Android phone, you can download the official authenticator app. For iOS, it appears there is not an official Yubico app, but there is a third party one available here. Once you plug your Yubikey into your computer, or tap your Yubikey to your phone via Near Field Communication (NFC), the app will generate the six digit codes.

Passing on U2F Keys

U2F keys such as the Yubikey (affiliate link, thak you for supporting my blog) are the most secure way of adding 2FA to your accounts. However, because part of its security stems from it being a physical token that cannot be copied, there is no digital way of passing off these tokens. The only way for your loved ones to access your accounts secured by U2F keys is for them to obtain the key.

To practically use U2F keys, you will want at least two keys anyways, in case you lose one (virtually every service that allows you to register U2F keys will let you register multiple keys). You may want to consider getting another U2F key and handing it to your loved ones. To keep it up to date you'll have to mail it back and forth every time you register your primary U2F key with a new account (see last section of blog post for more clarification).

Adventures in #TheSeonwooWay: Passing on Passwords and 2FA

Passwords

I am too paranoid to use an online password manager. Using one is far better than not using one, but I prefer to use KeePassXC, an offline password manager. This makes it more difficult to pass on my password database, but it can be done with proper planning.

I created an account with Dashlane, and had my dad create an account as well. Their free version only allows you to store 50 passwords, but it still has the emergency access feature. My dad and I designated each other as emergency contacts and store only our passwords to our password databases in Dashlane. Furthermore, because I built a computer for backups and placed it at my parents house, we always have up to date copies of each other's password databases. Upon death, we'll simply request emergency access to the other's Dashlane account, thereby getting access to the other's KeePass database.

2FA via Authenticator Apps

I store all the shared secrets for 2FA by authenticator apps in a separate KeePass database (because if I stored them all in my primary KeePass database, my second factor would cease to be a truly second factor), which my dad can use to generate the six digit codes. The password for this database is also in my Dashlane account.

However, it is probably easier for him to use the Yubikey I have at his residence, which has most of the shared secrets for accounts protected by TOTP.

2FA via U2F (Yubikey)

I have three Yubikeys, and have registered all of them with services that allow me to register multiple keys. By carrying one on my person, leaving one in my residence, and one at my parent's residence, I should always have a Yubikey available to me in case I lose my Yubikey, even if my residence burned down in a fire. Additionally, by virtue of having one of my Yubikeys, my dad will have no trouble getting past a U2F prompt on one of my accounts.

I ask my dad to mail me my Yubikey every time I sign up for a service that offers multiple U2F keys as part of their 2FA. Fortunately/unfortunately, not many services offer U2F, so this doesn't happen very often.