The way I have set this up is with a backup/reserve yubikey in a physical safe that my family has access to. In the safe is a description of how I setup my accounts, which is in a sealed envelop. The yubikey has the masterkey and 2fa, and the letter with description says where the first part of the masterkey can be found (seperate letter). Also I have setup an emergency contact that will have access after 30 days. For me this is good enough. Of course if you want to be sure to only grant access after your death I would go to a local notary and give them these instructions together with the letter with your masterkey and 2fa reset codes. Or put a backup yubikey in a lockbox at a bank, and have them only allow access to family after confirmation of you death.
I would not trust or burden bitwarden with this responsibility, as there are already many ways to handle this.
Thanks for this info. I’m not familiar with Yubikey but will check into it and the other ideas you reference.
Mail a kind of partial secret to some people right away. There are algorithms for shared custody of a secret, so that two (or N) people need to collaborate in order to perform some task. You nominate four people (eg) and two of them, working together, have enough information decrypt your vault, but no one, alone, knows enough. Or 3 of 9 or whatever. At any password change, mail the group again with a key and a birthdate of that password, so they can meet up postmortem and decrypt.
Nominate a successor who gets access after a grace period. You name sally. She gets email. She can come and ask for access to your account using an obsfuscated version of your passphrase (which you enter at that nomination time), and when she asks, you get email. If you do not respond within N days, she gets email saying she can now access it.
Nominate someone who gets access after you go dormant. Death is stressful, and online access is not high on the list of things to care about. So, after you nominate Sally as successor in bitwarden, she gets email and a timer is reset every time you log in. If you fail to reset that timer, you get email that you can veto it, but shortly thereafter Sally will get email with emergency access code. Imagine it being 45 days by default. You die, then after things have settled down, loved ones get email to access online life.
I just want to say that Emergency access feature is a joke as currently implemented. @dh024 If “tricky” means it involves work and thinking, its better to think and work on features before publishing it as useless as it is now.
Curious to what makes the current implementation a miss @Eugene_Bos? Feedback (specific and constructive) is always appreciated.
Maybe you misunderstood, @Eugene_Bos, but the current Emergency Access feature is not designed to accommodate unexpected end-of-life situations, as the OP has requested. Adding such functionality would be tricky because it would be hard to avoid False triggers, and the last thing I am sure Bitwarden would want to do is send messages to unsuspecting loved ones that they have died. I think it would be hard to come up with a fool-proof way to do this efficiently.
Of course, if you disagree, I am sure everyone would love to hear a solid solution. Please feel free to contribute.
As I learn more about this I’m wondering if just putting a yubikey for two factor identification along with my current password in two different secure locations will enable my heirs to fully access my account if I’m gone if they possess both those things. Does anyone know that? And can I setup 2FA so that either the yubikey or another 2FA like Authy will still work for me in the meantime? Or do I have to use only one 2FA method?
You can have multiple 2FA options @Compressor61 - no worries!
You’re correct, the email + master password + yubikey is all that is needed to access the vault.
Thanks. So sorry if I’m being redundant here. But I need to confirm. If I setup a yubikey and an Authy 2FA , I can use either one of them to access my vault, but I do not have to use both each time 2FA is required, correct? This way I can setup the yubikey and put it a safety deposit box only to be used by someone else down the road. Meanwhile I’ll use Authy.
Do I have this right?
If so I think I have a solution. Then I just have to figure out if I can use the same yubikey for 2FA on my google/gmail account.
That’s correct, you can use either 2FA method to log in.
Basically in this case you are trusting that a 3rd party will protect your information and possibly another party has access to a “legacy yubikey”, while someone such as an estate planner have your master password in a safe deposit box of some kind.
This would be ideal as to only be able to provide all factors of verification, masterpassword and 2FA (yubikey) plus possibly some instructions with the master password or will.
You could also have variations on this type of legacy access to fit your needs as it would work, possibly even splitting up all factors of authentication between multiple heirs + spouse (parts of the master password split up with one designated as 2FA) though now I’m just split-balling I’m sure others can come up with far more creative solutions.
“Mail a kind of partial secret to some people right away.” it may be better that it wont be done via Bitwarden directly, so both parts of the secret won’t end up in 1 server, therefore it won’t compromise security.
So basically on activation of that feature Bitwarden generates 2 passwords that both can open the vault. 1 is not saved (user password), another one is saved partially and part of it is displayed to the user(and not saved) to send it out to selected people by another secure channels.
Preventing of sending the part of the password preliminary can be done the same way as Google does (with reminders, and warning before)
Thanks Kent. Much appreciated
Account handover to another when inactive for a period of time.
Gmail has a feature where if you don’t log in for three months your account can be turned over to another. This would be a crucial feature for a password manager. When I die I would like my wife to have access to all the sites I use. I don’t know if this is technically possible but it would be a really great feature.
I wouldn’t do that.
That way they may get to know you master password. They may access your account without your knowledge and:
At any time, they can access you account immediately without you having a chance to stop them.
That’s why I would do something else:
- Make a new (free) account
- Give that account emergency access.
- Split that master password in as many parts as you like and give them to different people.
That master password has to be long enough and shouldn’t be related to yours.
For redundancy, you also can give the same part to different people and everyone needs the email address.
The regular emergency access Bitwarden has is similar Tim. Here’s a link describing it: Emergency Access | Bitwarden Help & Support
Would be useful to also be able to mark certain items as mine only even after death and emergency access. I wouldn’t want my family members coming across my “adult” accounts in my vault
Look up Shamir’s Shared Secret. It’s a way of cryptographically splitting up a secret S into N parts but only any K pieces (K<=N) are needed to reconstruct the secret S. (BTW, Shamir is the S in RSA.)
Use it to split your master PW into enough pieces to give them to all your trusted people (including a lawyer?), but only K of them would need to get together and agree to present their piece to come up with your master PW. If K=N, then everyone would have to agree together.
While not a solution to the issue of not wanting to bring it up beforehand, which is less a technical issue and more a social one, a possible solution to not wanting to provide access until death would be to follow the normal, current process, but once the emergency access is granted and the emergency user has a password set up, have that password disabled entirely, i.e. they can’t even try to use it to access the account and trigger the notification to the account owner, until one of two things happens (either an option or just whichever the developers determine is the best solution):
A certain amount of (ideally user-configurable) time has passed without access to the account, at which point emails (again, ideally the number and timespan, i.e. 3 every week, so once a week for 3 weeks, would be user-configurable) would be sent to the account holder notifying them the emergency contact will soon be notified they can request access. Once that total time has passed without response by the account owner, the emergency contact will be notified, and they can request access and wait for approval, denial, or no-response default approval as is currently the setup. This is basically like Gmail’s inactive account setting, only with the need to set it up ahead of time with the emergency contact.
Do the same as in the first solution, having an emergency contact set up a password which is disabled until activated later, only in this case the method of activating it is different. In order for that to happen, an additional one or more passwords or keyfiles need to be used to activate the emergency user’s password (or, in other words, for their password to work to access the account), and these could be given to lawyers, other family members, etc. This is just one more reason why keyfiles should be added to Bitwarden as requested here. In fact, this solution does deal with the issue of not wanting to discuss this ahead of time with family, as the emergency user can be a lawyer and the additional password(s)/keyfile(s) can be given to family, (an)other lawyer(s), kept in a safe place, etc. Something as simple as a keyfile or secret password can really open up the possibilities for dealing with this.
Various social media and webmail platforms have a feature that periodically reminds their users every X months that their next-of-kin disclosure or data auto-deletion service is active. For example, Dropbox auto-deletes all data if a user hasn’t used the service in X months. Google has a service called “Inactive Account Manager” and a support section called “[email protected]”.
In general interests of privacy, a fair GDPR-type policy would be someone should have the right to be forgotten, data deleted, and/or data handed down to next of kin. The current situation of cookies and data export are half measures.