Mark was security-conscious. He enabled two-factor authentication (2FA) on everything: – Banking apps (authenticator app) – Email (SMS codes to his phone) – Investment accounts (hardware security key) – Cryptocurrency wallets (authenticator app) – iCloud (trusted device verification) – Google account (authenticator app + phone) – Password manager (YubiKey)
His security was impeccable. His estate planning was not.
When Mark died at 54, his wife Sarah had his passwords (written in notebook). But that wasn’t enough:
The brick walls: – Banking app required code from his phone (she didn’t have his phone PIN) – Email required SMS code (sent to his now-deactivated number) – Investment account required his YubiKey (she didn’t know where it was) – Cryptocurrency needed authenticator app (on his locked phone) – Password manager required YubiKey (eventually found it, but didn’t know PIN) – iCloud required trusted device (his phone, which was locked with Face ID)
She had passwords but couldn’t access anything.
The challenges are increasing with two-factor authentication (2FA) processes guarding our devices and accounts. While undeniably crucial for safeguarding our online identities and assets during our lifetime, the very strength of MFA presents a unique set of challenges when considering the transfer of digital assets and access rights after a user’s passing.
The result: 6 months of frustration, $8,000 in legal fees, dozens of support calls, and still incomplete access. Some accounts never recovered.
This comprehensive guide covers the 2FA inheritance problem, platform-specific solutions, practical workarounds, and how to balance security with family access.
Understanding the 2FA Inheritance Problem
What is Two-Factor Authentication?
Definition: Authentication requiring two types of verification: 1. Something you know (password) 2. Something you have (phone, security key) 3. Something you are (fingerprint, face recognition)
Common 2FA methods: – SMS codes to phone – Authenticator apps (Google Authenticator, Authy) – Hardware security keys (YubiKey, Titan Key) – Biometric verification (fingerprint, Face ID) – Push notifications to trusted devices – Backup codes (printed or saved) – Email verification codes
Why 2FA Creates Inheritance Problems
The security paradox: – 2FA protects accounts from unauthorized access – But “unauthorized” includes grieving family members – Strong security during life = locked out heirs after death
The access requirement: Without the deceased’s physical phone, biometric data, or security key, gaining access to accounts protected by MFA becomes exceedingly difficult, often impossible without direct intervention from service providers.
What family typically has: – ✓ Passwords (maybe) – ✗ Deceased’s phone (locked) – ✗ Authenticator app codes (on locked phone) – ✗ Hardware keys (lost or unknown location) – ✗ Biometric data (fingerprint/face no longer accessible) – ✗ Trusted devices (locked)
Result: Complete lockout despite having passwords.
Real-World Impact
Financial accounts: – Can’t access bank accounts – Investment accounts locked – Cryptocurrency wallets inaccessible – Bill payments blocked – Estate administration halted
Critical services: – Email locked (gateway to everything) – Cloud storage inaccessible – Business accounts frozen – Important documents unreachable
Estate administration: – Can’t notify financial institutions – Can’t access account statements – Can’t fulfill legal obligations – Probate delayed
2FA Methods and Inheritance Challenges
SMS-Based 2FA
How it works: – Code sent to phone number – Enter code to log in
Inheritance challenges:
Phone number still active: – Family has physical phone – But phone may be locked – Need phone PIN/password – Or biometric access
Phone number deactivated: – Carrier canceled service – SMS codes can’t be received – Account completely locked – No way to receive codes
Solutions: – Keep phone service active temporarily – Port number to family member’s phone – Contact platform support with death certificate – May require court order
Difficulty: Moderate (if phone accessible), High (if phone deactivated)
Authenticator Apps
How they work: – Google Authenticator, Authy, Microsoft Authenticator – Time-based codes generated on phone – Change every 30 seconds
Inheritance challenges:
Phone locked: – Authenticator app on deceased’s phone – Can’t unlock phone without PIN/biometric – Can’t access codes – Can’t transfer to new device (usually)
App-specific issues: – Google Authenticator: No cloud backup (older versions) – Authy: Cloud backup if enabled – Microsoft Authenticator: Cloud backup available
Solutions: – Unlock phone to access app – Use backup codes (if saved) – Contact platform support – Reset 2FA (requires extensive verification)
Difficulty: High
Hardware Security Keys
How they work: – Physical device (YubiKey, Titan Key, FIDO key) – Insert into computer or tap phone – Cryptographic verification
Inheritance challenges:
Finding the key: – Small, easily lost – May be in desk, bag, safe – Family may not know it exists – Multiple keys possible
Using the key: – Requires physical possession – May require PIN – May be registered to specific devices
Best 2FA method for inheritance: – Physical object can be passed on – Works if family knows where it is – Document location in estate plan
Difficulty: Low to Moderate (if found), High (if lost)
Biometric Authentication
How it works: – Fingerprint (Touch ID) – Face recognition (Face ID) – Voice recognition – Iris scan
Inheritance challenges:
Person is deceased: – Biometric data no longer accessible – Can’t use fingerprint on corpse (doesn’t work) – Can’t use Face ID (requires living face) – Completely impossible to replicate
Solutions: – None for biometric-only access – Must use backup authentication methods – Fallback to password + alternate 2FA – Platform support intervention
Difficulty: Impossible (if biometric-only), Moderate (if backup method available)
Push Notifications to Trusted Devices
How they work: – Apple ID: Approve on another Apple device – Google: Approve on Android device – Push notification to phone/tablet
Inheritance challenges:
Devices locked: – Notification appears on lock screen – But can’t approve without unlocking device – Need device password/biometric
No trusted devices available: – Deceased’s devices all locked – No family member has approved device – Can’t add new trusted device without access
Solutions: – Unlock existing trusted device – Use backup authentication method – Platform support with documentation
Difficulty: Moderate to High
Backup Codes
How they work: – Set of single-use codes (usually 8-10) – Generated when 2FA enabled – Can be printed or saved
Inheritance advantages: With most 2FA systems, you can print out a set of backup codes to provide access.
Best practice for inheritance: – Print backup codes – Store in safe deposit box – Include in estate documents – Update when used/regenerated
Difficulty: Easy (if codes were saved), Impossible (if not saved)
Platform-Specific 2FA Recovery
Apple / iCloud
2FA authentication: – Trusted devices – SMS to trusted phone number – Recovery key (if enabled)
After death access methods:
Method 1: Apple Legacy Contact – If set up before death – Provide access key + death certificate – Bypasses 2FA requirement – 3-year access window
Method 2: Trusted Device – Unlock deceased’s iPhone/iPad/Mac – Approve access from that device – Requires device passcode
Method 3: Recovery Key – 28-character code – Bypasses 2FA – If deceased enabled and saved
Method 4: Account Recovery – Contact Apple Support – Provide death certificate + executor docs – Long process, uncertain outcome
Difficulty: Easy (if Legacy Contact), Moderate (if trusted device), Hard (otherwise)
Google Account
2FA methods: – Authenticator app – SMS codes – Hardware keys – Push notifications – Backup codes
After death access:
Method 1: Inactive Account Manager – If set up before death – Trusted contact gets access automatically – Downloads data via Google Takeout – Bypasses 2FA
Method 2: Backup Codes – If saved and accessible – Single-use codes – Work even without phone
Method 3: Account Recovery – Contact Google Support – Provide death certificate – May require court order – Often unsuccessful
Difficulty: Easy (if IAM or backup codes), Very Hard (otherwise)
Banking and Financial Institutions
Typical 2FA: – SMS codes – Authenticator apps – Hardware tokens – Phone call verification
After death access:
Required documentation: – Death certificate – Letters testamentary – Executor identification – Account information
Process: 1. Contact customer service 2. Speak to estate department 3. Provide documentation 4. Verify identity 5. 2FA requirement may be waived 6. Account access granted or check issued
Timeline: 2-6 weeks typically
Difficulty: Moderate (financial institutions usually cooperative)
Cryptocurrency Wallets
2FA protection: – Authenticator apps – Hardware wallets – Backup seed phrases – Multisig requirements
After death challenges:
Hardware wallets (Ledger, Trezor): – Physical device needed – Plus PIN – Plus recovery seed phrase – All three required
Exchange accounts (Coinbase, Kraken): – Password + 2FA – Backup codes if saved – Platform support limited – May require court order
Severity: HIGH – Cryptocurrency easily lost forever
Solution: Document everything: – Hardware wallet location – PIN codes – Recovery seed phrases – Exchange credentials + 2FA backup codes
Difficulty: Very High
Password Managers
2FA protection: – Master password – Authenticator app – Hardware key – Biometric unlock
Critical importance: – Password manager contains all other passwords – If locked out, access to NOTHING – Gateway to entire digital estate
Access methods:
Emergency Access (LastPass, Dashlane): – Designated emergency contact – Request access – Wait period (0-30 days) – Automatic access granted – Bypasses 2FA
Recovery Keys (1Password): – Emergency Kit with recovery key – Print and store securely – Bypasses 2FA
Bitwarden: – Emergency access similar to LastPass
Difficulty: Easy (if emergency access configured), Very Hard (if not)
Practical Solutions and Workarounds
Solution 1: Device Access Strategy
Share device access: – Tell spouse your phone PIN – Add spouse’s fingerprint to your phone – Document laptop password – Tablet PIN code
What this enables: – Access to authenticator apps – Receive SMS codes – Use trusted device for approval – Access backup codes saved on device
Privacy considerations: – Spouse has full device access during life – Balance privacy vs. estate planning – Consider what’s on device
Alternative: Emergency PIN envelope – Sealed envelope with PIN – Stored in safe deposit box – “Open only in case of death” – Preserves privacy during life
Solution 2: Hardware Security Keys
Best practice: – Use YubiKey or similar – Document where it’s kept – Include PIN if required – Register to multiple accounts
Storage location: – Safe deposit box – Home safe – Documented in estate plan
Advantage: – Physical object easily transferred – Works without phone – Simple for heirs to use
Setup: 1. Buy 2-3 YubiKeys 2. Register all to your accounts 3. Keep one with you 4. Store backup in safe 5. Give third to spouse/executor 6. Document which accounts use it
Solution 3: Backup Codes
Generate and store: 1. Enable 2FA on account 2. Generate backup codes 3. Print or save to file 4. Store in multiple locations: – Printed in safe deposit box – Encrypted file in cloud – Given to executor – In password manager
Update regularly: – When codes used – Annually as precaution – When security changes – After any breach
Label clearly:
GOOGLE ACCOUNT BACKUP CODES
Account: john@gmail.com
Generated: January 2026
Codes:
1. XXXX-XXXX
2. XXXX-XXXX
[... 8-10 codes total]
Store safely. Each code works once.
Solution 4: Password Manager Emergency Access
Set up today:
LastPass: 1. Settings → Emergency Access 2. Add trusted contact 3. Set wait period (0-30 days) 4. Contact requests access after death 5. After wait period, full access granted
1Password: 1. Create Emergency Kit 2. Print and store securely 3. Includes account info + recovery key 4. Give to spouse/executor
Dashlane: 1. Settings → Emergency Access 2. Similar to LastPass 3. Trusted contact designated
Bitwarden: 1. Settings → Emergency Access 2. Designate contacts 3. Set wait time 4. Access includes 2FA codes if stored
Solution 5: Authenticator App Backup
Google Authenticator (newer versions): – Enable cloud backup – Google Account syncing – Accessible if Google account accessible
Authy: – Automatic cloud backup – Can restore to new device – Requires Authy account password
Microsoft Authenticator: – Cloud backup available – Enable in settings – Syncs to Microsoft account
Best practice: – Enable cloud backup – Ensure backup account accessible – Test restoration process
Solution 6: Account-Specific Recovery Options
Enable account recovery methods: – Recovery email (not deceased’s) – Recovery phone (family member) – Security questions (share answers) – Trusted contacts (where available)
Example setup: – Primary 2FA: Authenticator app – Backup 2FA: SMS to spouse’s phone – Recovery email: Spouse’s email – Backup codes: In safe deposit box
Result: Multiple paths to recovery.
Estate Planning Best Practices
Document Everything
2FA inventory template:
TWO-FACTOR AUTHENTICATION INFORMATION
DEVICES:
- iPhone 14: PIN [stored in safe], Fingerprint registered: [spouse name]
- iPad: PIN [stored in safe]
- MacBook: Password [in password manager]
HARDWARE KEYS:
- YubiKey #1: On keychain (always with me)
- YubiKey #2: Home safe (combination [location])
- YubiKey #3: Safe deposit box at [Bank Name]
AUTHENTICATOR APPS:
- Google Authenticator: On iPhone (cloud backup enabled)
- Authy: On iPhone, password [in password manager], cloud backup ON
BACKUP CODES STORED:
- Google Account: Safe deposit box, printed copy
- Bank of America: Safe deposit box
- Vanguard: Safe deposit box
- Coinbase: Encrypted file in Google Drive + printed in safe
CRITICAL ACCOUNTS WITH 2FA:
1. Email (Gmail): Authenticator app, backup codes in safe
2. Bank of America: SMS to my phone, backup codes in safe
3. Vanguard: Security token (in desk drawer), backup codes in safe
4. Coinbase: Authenticator app + YubiKey, backup codes in safe
5. Password Manager (LastPass): YubiKey + master password
- EMERGENCY ACCESS granted to [spouse name]
- Wait period: 7 days
PHONE NUMBER:
Keep my phone number active for at least 90 days after death for SMS codes.
Port to [family member] if needed.
INSTRUCTIONS FOR FAMILY:
1. Access my iPhone with PIN [location of PIN]
2. Open Google Authenticator for time-sensitive accounts
3. Use YubiKey from home safe for financial accounts
4. Backup codes in safe deposit box for everything else
5. LastPass Emergency Access will grant [spouse] access after 7 days
Test Recovery Process
Before death: 1. Simulate lockout scenario 2. Test backup codes work 3. Verify hardware keys function 4. Confirm emergency access works 5. Update documentation as needed
Annual review: – Confirm backup codes valid – Test hardware keys – Update device PINs if changed – Regenerate codes if any used – Verify emergency contacts current
Balance Security and Accessibility
During life: – Strong 2FA for security – But document everything – Store backups securely – Plan for family access
After death: – Family can access – But still secure from hackers – Multiple recovery methods – Clear instructions
Not either/or: Both security AND inheritance.
For Executors: 2FA Recovery Strategy
Week 1: Immediate Inventory
- ☐ Locate deceased’s phone (do NOT unlock yet if locked)
- ☐ Find hardware security keys (desk, keychain, safe)
- ☐ Check safe deposit box for backup codes
- ☐ Look for printed documentation
- ☐ Check estate plan for 2FA information
- ☐ Access password manager if emergency access set up
Week 2: Device Access
- ☐ If phone PIN documented, unlock phone
- ☐ Access authenticator apps
- ☐ Screenshot all codes before battery dies
- ☐ Keep phone charged and active
- ☐ Don’t cancel phone service yet
Week 3: Account Priority List
Priority 1: Password Manager – Gives access to everything else – Use emergency access if set up – Or hardware key if available – Critical first step
Priority 2: Email – Gateway to other accounts – Use phone authenticator or backup codes – Essential for password resets
Priority 3: Financial Accounts – Banking, investments – Contact institutions directly – Provide death certificate – May bypass 2FA with documentation
Priority 4: Everything Else – Social media – Cloud storage – Subscriptions – Lower priority
Week 4: Platform Support
When 2FA can’t be bypassed: – Contact platform support – Provide death certificate – Provide executor documentation – Explain 2FA access issue – Request 2FA reset or removal – Be prepared for long process
Special Situations
Corporate/Business Accounts
Business 2FA: – IT department may have access – Business continuity plans – Admin overrides – Separate from personal estate
Small business owner: – Document business account 2FA – Succession plan for access – Multiple admins if possible – Critical for business continuity
Cryptocurrency and High-Value Accounts
Extra precautions: – Multiple backup methods – Redundant storage – Clear documentation – Consider professional custody services
Hardware wallet access: – Device location – PIN code – Recovery seed phrase – All three documented separately
Risk: Cryptocurrency easily lost forever with 2FA/seed phrase loss.
International Accounts
Additional complexity: – Different time zones for codes – International phone numbers – Different support procedures – Language barriers
Solution: Document even more thoroughly.
Elderly Parents
Setting up for aging parents: – Simpler 2FA methods – Backup codes prominently stored – Hardware keys they won’t lose – Your phone as backup 2FA – Regular check-ins
Conclusion
Two-factor authentication is essential for security but creates serious inheritance challenges. The same features that protect accounts from hackers also lock out grieving family members.
The problem: – Password alone insufficient – 2FA requires phone, app, hardware key, or biometric – Deceased’s phone locked or deactivated – Authenticator apps inaccessible – Hardware keys lost or unknown – Biometric data unavailable – Family completely locked out despite having passwords
The solution (after death): ✓ Unlock deceased’s phone immediately ✓ Access authenticator apps before battery dies ✓ Find hardware security keys ✓ Look for backup codes ✓ Use password manager emergency access ✓ Contact platform support with death certificate ✓ Keep phone service active temporarily
The solution (proactive planning): ✓ Share device PINs with spouse ✓ Document hardware key locations ✓ Print and store backup codes ✓ Set up password manager emergency access ✓ Enable authenticator app cloud backup ✓ Use hardware keys (most transferable method) ✓ Create comprehensive 2FA inventory ✓ Test recovery process annually
Most important: Security during life and access for heirs after death are NOT mutually exclusive. With proper planning, you can have both.
Document your 2FA setup today. Your family will thank you when they’re not locked out of your entire digital life.
Resources
- Take Steps to Ensure Heirs Have Access | Institute for Successful Longevity
- How Multi-Factor Authentication Affects Digital Inheritance | Cipherwill
- How Can Heirs Get 2FA Access? | Bogleheads Forum
Sources
- Take Steps to Ensure Heirs Have Access to Digital Assets | FSU ISL
- How Do Heirs Get 2FA Access? | Bogleheads
- 2 Factor Authentication – What If Something Happens? | Bogleheads
- How Can Heirs Get Access to Accounts Protected with 2FA | TidBITS
- Preparing to Pass on Digital Access After Death | Peter Brumby
- How Multi-Factor Authentication Affects Digital Inheritance | Cipherwill
- Stewarding Digital Assets Part 3: Multi-Factor Authentication | Retirement Stewardship
- Password Manager + 2FA Setup In Case of Death? | MPU Talk
Leave a Reply