Community

---

@coghlanpf wrote:

@srlawrenOkay, same question then.  If the phone and I both meet our demise, isn't the authenticator app tied to the phone and, if so, how does she create another instance of it?

To me, the phone is the key.  It travels with me everywhere and is, therefore, the best candidate as the "thing that I have" (too bad the SIM is such a weak credential, though).  If I kick the bucket and my phone remains intact, it's otherwise a great second factor for her to use to access my personal information.

---

@coghlanpf I haven't started using Microsoft Authenticator just yet so I can't speak to how it works.  I do use Authy as my Google Authenticator client for exactly this reason though.  I can run Authy on multiple devices (including on my PC at work through a Chrome App) and can access my 2FA tokens from any of those devices.  So if I were away with 1 of those devices and lost it, I could still access via one of my other devices.  

That said, my recommendation stads to look at LastPass and how it implements the digital estate access scenario.  

Just implement a "non-digital" 2FA mechanism.

Leave half the user/password info in a sealed envelope with lawyer or safety-deposit box or whatever - requiring proof of owner's death and a whitelisted ID to access the contents.

Leave the other half of the user/password info with the authorized person (wife) - requiring access to the "secured" part of the information to make any sense of it.

But, honestly, it's far less hassle to trust someone - wife, lawyer, notary, professional, etc. There's articles online about digital estates, they all boil down to making things as simple as possible (instead of erecting additional obstacles) for your loved ones after you're gone. 

@coghlanpfIf you use 2FA on Google accounts etc, there is always an option to print a backup code that would come in the play in a lost phone / authenticator situation.

As for secure vault, you can always encrypt the data into a file using apps like vera crypt and sync it up to your clound app.

---

@coghlanpf wrote:

@GinYVR Thanks for the explanation of the QR code.   Neither the Google or MS authenticators work with Personal Vault, apparently.  Even if they did, e-mail passwords are one of the things I want to put in the vault, since they put a lot of power in the  hands of online criminals.

I still like the idea of putting lower-value digital assets and account IDs (without passwords) on something that can be shared, such as Google Drive, and the high-value assets on some kind of vault that requires something I (or designated surviving family member(s)) need something I have (e.g. phone) to gain access.

I thought about just using a flash drive etc. squirreled away at home with the high-value info, but like the main parachutes on a space capsule, it has to be 100% reliable when required.

We never did answer the question of what is required to legitimately replace a lost phone.  If this requires e-mail access, I'm back to square one.

---

---

@coghlanpf  I have a slightly used enigma machine stored somewhere in my basement you could have....its a little dusty and has some cobwebs but I'm sure with a good lick and some polish, a touch of elbow grease and a can of wd40 we could get her up and running.....

@GinYVR Thanks for the explanation of the QR code.   Neither the Google or MS authenticators work with Personal Vault, apparently.  Even if they did, e-mail passwords are one of the things I want to put in the vault, since they put a lot of power in the  hands of online criminals.

I still like the idea of putting lower-value digital assets and account IDs (without passwords) on something that can be shared, such as Google Drive, and the high-value assets on some kind of vault that requires something I (or designated surviving family member(s)) need something I have (e.g. phone) to gain access.

I thought about just using a flash drive etc. squirreled away at home with the high-value info, but like the main parachutes on a space capsule, it has to be 100% reliable when required.

We never did answer the question of what is required to legitimately replace a lost phone.  If this requires e-mail access, I'm back to square one.

@coghlanpfWirecutter has an article about different Authenticators https://thewirecutter.com/reviews/best-two-factor-authentication-app/

If you are an IT person and want to avoid storing data in the States you can also try BitWarden where with a professional license you can host your own server.

@coghlanpfAuthy and password managers have recovery options that allow you to run the authenticator on multiple devices. Those one time keys are 40bit encryption keys.. the QR code you scan is just a graphic representation of the key. If you jot down the key you can reuse it anywhere.

@srlawren Okay, same question then.  If the phone and I both meet our demise, isn't the authenticator app tied to the phone and, if so, how does she create another instance of it?

To me, the phone is the key.  It travels with me everywhere and is, therefore, the best candidate as the "thing that I have" (too bad the SIM is such a weak credential, though).  If I kick the bucket and my phone remains intact, it's otherwise a great second factor for her to use to access my personal information.

---

@coghlanpf wrote:

@88cranston I also thought about using something like an Aegis Key, but that's another PIN/password for her to remember, and if it's misplaced...

 

---

Wow. That is neat!! But expensive!!!

What is the name of the first street you lived on together (Main) (or postal code W7W7W1)?

---

@coghlanpf wrote:

Thought about that, but I don't think One Drive accepts Google Authenticator...plus remember that I only want a surviving spouse to get at my most sensitive info if I'm no longer around, and possession of my phone is the "bar".  Access to my e-mail password via a key logger isn't going to cut it.  This isn't a slight against my spouse, it's just that personal passwords must remain so...until I'm gone.

---

@coghlanpf Microsoft have their own Authenticator app - for Android and for iPhone.

You may want to consider using LastPass instead.  It offers Emergency Access with a configurable confirmation time.  More here:  https://blog.lastpass.com/2018/11/3-ways-to-prepare-for-your-digital-afterlife.html/ and https://support.logmeininc.com/lastpass/help/set-up-and-manage-emergency-access-lp030013

---

@geopublic wrote:

@coghlanpf  Noted, but considering how easy it is to hijack one's sim and take over one's phone I would never use the phone as a secure 2FA method IMHO.

---

lol.  I am old!!!  I would not use the cloud for anything other that syncing my iphone with my ipad for pics, contacts, and books!!!

Maybe just wise not to trust any 3 party application between you and a company or? Like Skip the Dishes is no longer trustable. I would not put my credit card in ANY app. 

@88cranston I also thought about using something like an Aegis Key, but that's another PIN/password for her to remember, and if it's misplaced...

Granted, but I looked around and the selection online vaults with 2FA seemed quite limited, and I wanted something that my spouse could possess as a second factor before gaining access to my list of passwords stored in something like Personal Vault, and phone/SMS seems to be the best option for now.

@coghlanpf  Noted, but considering how easy it is to hijack one's sim and take over one's phone I would never use the phone as a secure 2FA method IMHO.

Thought about that, but I don't think One Drive accepts Google Authenticator...plus remember that I only want a surviving spouse to get at my most sensitive info if I'm no longer around, and possession of my phone is the "bar".  Access to my e-mail password via a key logger isn't going to cut it.  This isn't a slight against my spouse, it's just that personal passwords must remain so...until I'm gone.

We don't have one, plus stuff you really want to lock down should require "something you have".  E-mail password recovery for bank accounts etc. should be for the account owner only.

She will have my PM userid+password, so as long as there isn't an e-mail verification etc, that should be fine.

My wife asked about how she would access all our accounts if I kicked off, so I started to think about it.  I'm an IT security guy, and swear by 2FA.