Two-Factor Authentication, revisited: How to transfer your digital information

August 26, 2021
Neil Charness, Ph.D., Director, Institute for Successful Longevity

I recently wrote about the need to plan ways to transfer your digital assets to heirs, particularly in light of the increased deployment of two-factor authentication (2FA). My advice is to provide heirs with the necessary information to log in to critical accounts (account name, password) and to use a form of 2FA such as a physical USB key to provide access to devices such as smartphones, tablets, and computers. The reason for arguing for a USB key or other 2FA physical authentication method is that biometric information such as a fingerprint will not work when you die.

Here, I would like to talk about how to transfer your digital information safely and cover some of the risks of sharing this information.

Some of you may be familiar with Shakespeare’s famous tragedy, King Lear. Lear, an English king, gave up the keys to the kingdom to his treacherous heirs prematurely, ended up losing his power, financial resources, dignity, and finally his life. Hopefully, your heirs will prove to be less like Lear’s ungrateful daughters, Regan and Goneril, and more like his loving daughter, Cordelia. However, an important decision is how to safely transfer your digital assets if you do suspect that some heirs are too immature or careless to manage them should you share them while you are alive.

You need to take care. There are many examples of dangers arising from sharing financial resources, such as through shared bank accounts, co-signed credit cards, or jointly guaranteed loans. You are on the hook if your partner on the account misuses funds.

The difference with newer asset types is that a single digital portal, such as your email account, may provide the keys to your digital kingdom. How? Verification emails are typically sent to your email when, for instance, there is a change to one of your registered accounts, such as switching to a new email address or changing the form of payment. Imagine that a hacker (or worse yet, your faithless daughter Goneril) has learned or guessed your email name and password. The first thing that they might do is to change the password and contact email address to their personal password and email in order to take full control of the account. Now they can use the information in that email account to learn about other accounts and take them over, too.

Of course, if you implemented two-factor authentication on these accounts, people (hackers, Regan & Goneril) cannot access them without that second factor (account name and password are not enough), so you should probably adopt 2FA for those accounts. Still, you need to keep in mind the need to share that second form of authentication on death or disablement with a trustworthy person.

How you do this is up to you. You could store a backup of the second factor, if it is in the form of a USB key, with an attorney or other trusted professional and let your heirs know in advance that they will need to contact that person. You could store the backup, along with your email account name and password in a safe in your home and let your heirs know the combination to the safe. You could be even fancier, if you have a Google account, and use their Inactive Account Manager feature It generates an automated email to designated parties three months after you’ve stopped accessing Google services, presumably because you died or became disabled. That automatically generated email could contain the combination to the safe or other information as part of the message.

Of course, you will need to review your account settings, perhaps annually, to make sure that the email address or addresses are up to date.

Another concern is with automatic payment of recurring bills. Many of our accounts are now “virtually” controlled. For instance, to get the best rates for mobile phone accounts, you need to provide automated billing/access to your account. The same is often the case for Internet services or wired telephone accounts. Vendors want to be assured of payment, eliminate the cost of mailing you bills, and directly access bank or credit-card accounts. Should you die suddenly or become incapacitated, companies will automatically continue debiting your accounts for services that you can no longer cancel, until your heirs can find information about them and terminate those services on your behalf.

If you used Google’s automated email, your heirs might only get access to the safe, and hence information about such accounts, months after you die or become incapacitated. I suppose it is better late than never.

Even with careful planning of this type, there are still “gotchas” for heirs. For instance, say that your heirs try to turn off a smartphone account. They may need a third form of identification, an account code, in addition to the other forms of identification, so you ought to make that information available to heirs as well.

In summary, transferring your digital assets takes planning, not unlike other aspects of your estate. However, digital assets have unique features that require extra effort on your part if you want to transfer them safely and minimize stress for your heirs. Hopefully, those heirs will behave more like Cordelia than Regan and Goneril.