The digital afterlife

- image by Dan Meyers - Unsplash.com

What about the digital traces we leave behind on the internet after we pass away? When your most important accounts are secured with multi-factor authentication it is impossible to recover. People who are left behind probably have no clue how to access your most important internet accounts and data of value like family pictures.

My most important account is my private Google account. Where I have stored my contacts and e-mail, and a backup of data of value for me. The backup is synchronized every night from my FreeBSD server with rclone. Because I only use exclusivly Apple products for desktop, laptop and smartphone purposes I also have a secured Apple ID.

Apple has the “Legacy Contact”. And Google has the “Inactive Account Manager”. So your account and data can be recovered with your death certificate or is released after account inactivity.

I’m a little paranoid so for every internet account I create a different password and store it in a Keepass encrypted database. On macOS I use MacPass. On Windows at work I use KeePass XC with Chrome browser plugin.

I also backup the QR-codes used with 2-Factor Authentication smartphone apps like Google Authenticator or Microsoft Authentication. And extract the TOTP-secret from the QR-code to place in Keepass so I can generate the 6-number security codes on my iMac and MacBook with MacPass. When my Smartphone gets lost or broken, I can still generate the “military-grade” security codes. But luckily Google Authenticator now has a cloud backup feature (which I don’t use).

I’m to paranoid for storing my passwords and secrets in the cloud like Lastpass announced a security incident December 2022.

For extracting the TOTP-secret data from stored QR-code image/screenshot on a mac. Assuming you are a power user and installed the Homebrew package manager. No you don’t want to use an online service to extract the TOTP-secret from the QR-code for obvious reasons!

1
2
3
4

jerry@Jerrys-iMac ~ % brew install zbar
jerry@Jerrys-iMac Downloads % zbarimg google-qr-2fa.png
QR-Code:otpauth://totp/Google%3AXXX%40gmail.com?secret=ecbazdoxjob5b56vhpjdmz6eioeqousc&issuer=Google
scanned 1 barcode symbols from 1 images in 0,03 seconds

As you can see the QR-code contains a special formatted URL. Where most important key=value is secret=XXX. This secret must be inserted in you MacPass/KeePass XC OTP secret field. This otpauth protocol URL specification is not well standarized. See also github.com/google/google-authenticator wiki Key Uri Format

For the security researchers among us, making a physical copy of the TOTP-secret can also be a security hole. But I encrypt the QR-code images in my Keepass database. Or print them out on paper. When losing it, you can lose your account! A potential security problem is far worse than out-locking yourself from your most important accounts. Choose your “security poison”.

The just-in-case box

You should prepare for the worst and create a small box with printed information like:

• Internet (e-mail) accounts like: Google, Apple, Microsoft
• Most important phone numbers like work, clubs, friends, family etc.
• List of subscriptions with client or contract numbers
• List of contacts to send a death notice to
• Smartphone pincode
• Smartphone SIM-card pin/puk code
• Computer password(s)
• For the digital (crypto) paranoid:
  • Yubi hardware encryption key
  • Server and/or desktop full disk encryption keys
  • Screenshots or copies of 2-factor QR-codes (TOTP secrets)
  • SSH private keys
• … and the list goes on and on

The box could contain an USB stick FAT32 formatted (synced every 31 march on World Backup Day) for maximum OS compatibility. My USB stick also contains an encrypted Keepass password and account database.

So how are you prepared for the digital afterlife?