If we’ve learned anything since the beginning of 2020, it has to be that the future is uncertain. Despite going through a pandemic and a war in Europe, “most people” still won’t plan for the inevitable; death.
I don’t blame or judge anyone who has put off writing a will or making contingency plans. Thinking about bad stuff is hard, especially when the easy way out is to just ignore it.
Consolidate all accounts in a password manager and note how to restore access in case there is 2FA set up. Write down how to restore access to the password manager.
Why Disaster Recovery Matters for the Digital Realm
While having different meanings in different contexts, here Disaster Recovery simply means having the ability to recover in case of a disaster. A clear example would be in the case of death.
People have been dying for thousands of years, and what to do when someone dies is quite clear. While not pleasant or easy, it is clear and well-understood.
What is not so clear is what to do with the digital footprint left behind.
Some platforms had to deal with this quite early on, especially social media, and I’m sure we will see better support as more people leave us as the years go by. The social nature of social media means that friends and family know that there is an account, and that it would be appropriate to close that account.
But what about accounts that others don’t know about?
And what if the service won’t cooperate and grant you access?
This may be compounded by the fact that online services exist… online. You’re not guaranteed to get help with accessing or closing an account if it’s hosted in a different country.
Even if You Would Live Forever…
Death is not the only disaster. Unfortunately.
Even if death is a good example of when someone might need to do a disaster recovery, it’s far from the only one. Consider being robbed and losing access to your two-factor token, or ending up incapacitated in a hospital.
Disaster recovery is about having the ability to regain access in case something happens. A bad actor, bad luck, or something unexpected should not be able to prevent you from accessing your email.
Laying the Foundation
Making a disaster recovery plan is not difficult. Here are the basics:
- What accounts do you have?
- How would someone else access those accounts in case you and your devices were unavailable?
If you’ve read this far, chances are you already have a password manager. If you are in the minority and do not have a password manager, then for the love of your favourite deity get a password manager. It will be unsustainable to keep the plan up to date without one.
Elaborating on the two main points, we can draft a to-do list:
1. Create a List of all Accounts
Create a list of all accounts you have, and make sure you have all accounts saved in your password manager.
Having a password manager is not only excellent for storing strong passwords – it doubles as an account list. You can see where you are registered.
2. Ensure it’s up to Date
Make sure all entries in your password manager are up to date and that all accounts can be accessed with only the information present there.
It’s easy to update a password and save it in the web browser or OS keychain, only to discover months later that you can’t log on from your phone or another computer.
3. Identify 2FA Accounts
Clearly identify accounts with two-factor authentication enabled. If the 2FA is not stored in the password manager, then indicate which 2FA is used.
Some sites will prompt to enable 2FA, and it’s easy to forget to add this information to the password manager. While 2FA is excellent for keeping an account secure, it will prevent you from logging on if you lose your token (e.g. smartphone).
4. Recovery for 2FA Accounts
For accounts requiring 2FA or something not stored in the password manager, detail how to regain control over those accounts.
There is no standard for how to disable or bypass 2FA, so every site, application, and company will have their own approach. Maybe it will be enough to contact support, but perhaps you need to prove your identity in one way or another.
If the 2FA cannot be removed or bypassed, then you have to get a bit creative. The most common 2FA today is time-based one-time passwords (TOTP), where you have to enter a passcode every time you want to log on. The passcode is displayed on your phone (or whatever token you use) and will change every 30 or so seconds.
The TOTP is set up by saving a code, so you can essentially back up a new TOTP 2FA by writing down that code. Often the code is displayed as a QR-code.
It might not be appropriate to save the TOTP 2FA in your password manager.
5. One Password to Rule Them All
Don’t forget your password manager. If you can’t recover access to your password manager, then other recoveries would be rendered impossible.
A common approach is to write down those instructions together with the main password(s) on a piece of paper. Store it in a secure place. If you’re feeling fancy you could put it in an envelope and seal it with a wax seal ;).
Verifying Disaster Recovery
You’re all set up after having consolidated all accounts, credentials, and instructions. To make sure you didn’t miss or forget anything you need to try to do a recovery.
No, you don’t need to do this for everything, only for the accounts you consider essential. Commonly essential accounts would be social media and email. Remember to verify the recovery process for the password manager as well!
Do try to remove 2FA when validating to make sure it works in case you lose your smartphone.
Setting up Disaster Recovery
A real disaster means you’re not able to restore access yourself. Here you have a couple of different approaches depending on what you feel comfortable with. If you’ve consolidated everything into your password manager, then you essentially only need to allow access to the password manager in order to facilitate everything else.
To do this you need to decide how it should work, and who you should trust. I’ll give you a few examples:
You could lock the recovery instructions for your password manager in a safe or a safety deposit box, and tell friends and family about it. If something happens they will in time be able to unlock it and gain access. Safety deposit boxes may require you to sign an authorisation, so that could be problematic if you are unconscious.
You could share the recovery instructions directly with friends and family, but then whoever you entrust will be able to backdoor your accounts, knowingly or not. For example, their computer may be hacked down the line, and as a result your password manager’s master key gets compromised.
Share the recovery instructions with friends and family, but split the password into pieces. To regain access, whoever you select must get together and piece together the secret.
You could split the secret password and require that a certain number of trustees agree to recover it instead, using e.g. Shamir’s Secret Sharing.
Whichever way you choose to go, just make sure that recovery is actually possible. What if you’re travelling with whomever you trust to recover your account, and you’re all in an accident?
For me personally, it took a lot of determination to get started with this, but as I went along and set up my own disaster recovery plan it got easier. I realized that it’s not about the bad things – whatever caused you to need the recovery process – it’s about knowing that there is a solution in case you need it.
And as I helped friends and family with this, we all realized that accessing Facebook, Gmail, or Steam, is not going to be another hurdle to get in the way when everything else is really hard.