So you’re using a password manager and you’ve even enabled two-factor authentication on your password vault. That’s fantastic! Well done! But what happens it you somehow forget your master password? Or if you lose access to your two-factor authentication device? And I know it’s not fun to think about, but you should also be thinking about how your spouse or next of kin will obtain access to all of this important information if you were to become incapacitated or die. You need an access backup plan.
First, you need a backup for your master password. The simplest solution is to just write it down on a piece of paper and store that paper somewhere safe. You can gain a little security-by-obscurity if you don’t label what it is. However, if you want your next of kin to be able to use this, then you may need to do so. You could just have a separate document or note for them that tells them where to find this piece of paper. You could put it in a fire-proof safe at home and/or in a bank safe deposit box (though gaining access after death can be tricky sometimes). Obviously, you’ll need to change the paper copy if you ever change your master password.
Some password managers also allow you to set up one-time passwords (sometimes called recovery codes). These will get you into your password vault just like your master password, though the one-time passwords will only work (you guessed it) once. You can generate a handful of one-time passwords, print them off, and squirrel them away. Note that you may need to access your vault from a special login page to use a one-time password, so be sure you understand how to use these with your chosen service. (These one-time passwords can also be useful if you find yourself needing to access your vault from a computer you don’t trust).
You should never store your master password (or really any secrets) in a digital file that isn’t encrypted with a password or contained in an encrypted folder. Of course, doing this would mean having yet another password that needs to be remembered or written down somewhere.
Second Factor Device
You should set up two-factor authentication (2FA) on all your important accounts – especially your password manager. It means that bad guys need both your password and your 2FA device to access your accounts. Of course, it means that you do, too. If you lose access to your device, you’ll be locked out. I recommend using a two-factor authentication app that allows you to securely backup your account seed codes, either to the cloud or to another device using end-to-end encryption. Check out Authy (Android/iOS), Aegis (Android) or Raivo.
These seed codes are presented to you when you set up 2FA for an account, usually represented by a QR code but often as a text code, as well. You could save these text seed codes in an encrypted file or folder, or perhaps in a second password manager vault. Keeping these codes in your primary password vault isn’t ideal, though it’s not horrible. If someone were to guess or crack your master password, and get access to your password vault, then they would have everything they needed to get into all your accounts.
Another option is to print off the QR code or the text seed code. Don’t save this in digital form unless you encrypt it carefully (see above). But if you print it on a physical piece of paper, you can store it somewhere safe.
With these seed codes, you can set up two-factor authentication on a second device – like a spouse’s phone or a new phone if you lose or damage your original device. Any device set up with a given seed code will generate the same PIN codes, at the same time.
Access for Others
There are many cases where you may wish to share some or all of your account logins and other secrets with a trusted third party such as your spouse. You also need to carefully consider the case of granting access to your next of kin if something were to happen to you. Not only does your password vault have all your account passwords, it will also be a very helpful list of all the sites where you have accounts.
Most modern password managers have an emergency access feature. You can designate a person or persons who can be given conditional access to your vault. Once emergency access is set up, the trusted person can request access to your vault. You will usually have a grace period to speak up if case you wish to deny the request. If you fail to respond in the time allotted, the requester will be given access.
You can also simply share your master password with the trusted third party, or at least the location of the password. You could leave a note in a well-known location, such as your bank safe deposit box or a home safe. But just make sure that whoever you intend to pass this information on to knows where to find it. You should have a contingency plan for the case where you are temporarily incapacitated, as well – so that someone (preferably with power of attorney) can manage your accounts and affairs until you recover. (NOTE: Your master password is only half of the credentials – they also need to know the email address or username for your password manager account, as well.)
Also make sure that your next of kin has access to your 2FA device or the account seed codes. This usually means making sure that they can unlock your smartphone. You can write down your phone’s security PIN code somewhere or you can add their face or fingerprint to the device’s biometric locking feature.
Some Final Thoughts
You might want to seriously consider having more than one backup. I usually like to have something at home that’s easy to access and something offsite in case something happens to my home or I can’t access my home. The other reason to have multiple backups is utilize multiple formats. If you’re counting on VeraCrypt or Cryptomator, what happens if those tools are gone or work differently in 10 years? There’s a lot to be said for ink and paper.
You might consider using a passphrase instead of a password, but don’t count on remembering it. Also, your spouse or next of kin can’t read your mind. You might also think about using hardware keys, like a YubiKey, to access your vault. If you do this, be sure to make at least one backup key and store it in a safe place.
As passkeys become more common, you may no longer have a list of passwords – though you may still synchronize and back up your passkeys using a service. At that point, you may need to have a backup device for accessing them or a way to back up the passkey database to a secure file. We’re still working this stuff out.
It’s possible that you don’t want your next of kin to have access to everything. In this case, you can segregate your digital secrets. There are a couple simple options. First, you could use two different password managers – maybe use the for-pay Bitwarden cloud-based service for things you want to share and the free and open source KeePass for your local-only private things. Second, you could keep your private files and notes in an encrypted folder (see above). You would then need to backup your encryption password in such a way that you could recover access to the folder without allowing anyone else to do so. (Note that you can appoint a second executor in your will to handle this stuff, too.)
You can find some interesting other ideas in this article about hardening your password manager. The purpose of the article is a little different than what I’m outlining here, but the solutions are similar. This Reddit post also has some great ideas.
Need practical security tips?
Sign up to receive Carey's favorite security tips + the first chapter of his book, Firewalls Don't Stop Dragons.
Don't get caught with your drawbridge down!