Take steps to ensure your heirs have access to your digital assets

Duo-Google two-factor
February 9, 2021
Neil Charness, Ph.D. Director, Institute for Successful Longevity

If you are like me, you have valuable data assets stored in electronic devices such as computers, smartphones, and tablets.  As more and more of our transactions have become electronic our heirs may face enormous challenges recovering that information after we die or become incapacitated.  The challenges are increasing with two-factor authentication (2FA) processes guarding our devices and accounts.

Neil Charness, Ph.D., is Director of the Institute for Successful Longevity.

If heirs were lucky in the past, you provided them with access to your computing devices by sharing passwords in some secure format, such as placing them in a physical safe that they had access to upon your death or incapacity.  However, because phishing scams and hacking generally have become commonplace as a way to steal a user’s account information and passwords, companies like Google, Apple, Microsoft, and Amazon are increasingly encouraging or even requiring that accounts become safeguarded with 2FA.

Florida State University now requires two-factor authentication to access a work account, following the rule of requiring two pieces of information before letting you access an account.  The first factor is something you know: your account name and associated password. The second factor is something that you alone possess: biometrics such as a fingerprint or iris scan, your smartphone, or possibly a hardware key. That way, even if someone hacks your computer or tricks you into giving up your account name and password through phishing, they still can’t log in to your account without that second factor.

Usually, you set up 2FA by specifying how you will be contacted for the second form of authentication. The most common and easily managed form of two-factor authentication involves sending a message to your smartphone and asking you to acknowledge that message, basically proving that “you are you” through possession of the device and responding to the challenge within a short period of time.  The challenge is sent either through an app that runs in the background on your phone (e.g., Google’s Duo app), or through a message sent to you by SMS (text message), via an e-mail, or if you don’t have a smartphone, through an old-fashioned telephone call that reads the digits to you so that you can type them into your computer as you log in to your account.

When using a smartphone to log into a bank account, 2FA challenges may allow you to authenticate with a biometric such as a registered fingerprint or retinal scan, in addition to an account name and password.  But, what if you lose your smartphone or you are in a dead zone for cellular service?  How do you get into your account?  There are sometimes alternate ways to prove that “you are you” through answers to questions that only you are likely to know, such as the city you were born in, the model of your first car, your favorite movie, etc.  But these ways of authenticating access are time consuming and may be hampered if, for instance, you lose your smartphone on that exotic vacation. 

Worse yet, if you die and your smartphone is safeguarded (by a fingerprint, retinal scan, or password), your heirs may be stymied for weeks, even if equipped with powers of attorney, as they go through alternate routes to gain access. 

There are some solutions to consider.  The first is: Don’t die.  Mind you, if you know how to live eternally then you are already in a different league than the rest of us mortals and can stop reading now.  As mentioned earlier, another risk is dementia, rendering you incapable of even managing 2FA on your own.  So, since it is difficult to avoid dying and hard to completely rule out developing dementia or other form of cognitive impairment, you need to have alternate methods to provide loved ones with access to your 2FA-protected electronic accounts.

Although it is not yet used universally for two-factor authentication, a hardware key (e.g., YubiKey) may offer something that can easily transfer to an heir or partner.  These are USB devices that you can purchase relatively inexpensively.  They work when you plug them into a port on your computer or tablet or by communicating wirelessly with your smartphone using near-field communication (NFC) to authenticate that “you are you.”  You may already have turned on NFC on your smartphone in order to pay for goods and services.  Once you register hardware keys with your account, the 2FA challenge requires you to activate the hardware key by plugging it into a port on your computing device and touching a sensor on the key.  Anyone with the key can authenticate to your registered account (assuming they have the first factor: your account name and password, and that the key does not require a biometric such as a fingerprint to activate).

So, much like your smartphone, you should be careful not to lose a hardware key.  If it is to be your only authentication method, you ought to register a backup hardware key with the accounts you want to protect and then safely store the backup. 

Unlike a fingerprint or retinal scan that no longer works when you die, the hardware key can stay behind, and hopefully, in the right hands that have been provided with the first factor, provide access to your accounts.  (The fraught topic of being defrauded by those you trust will have to wait for another column.)

Although the digital economy was meant to reduce friction for transactions, it can also introduce complexities for transactions such as requiring two-factor authentication to guard against hacking and password theft.  We don’t often consider all the ramifications of activating 2FA for our accounts, particularly how we provide access to heirs who may need our digital information to settle our estate.

Plan carefully now for how to safely pass on your digital assets!