Keeping clients' computers safe and profitable for over 30 years

When Your Executor Uses Their Computer

Preview: Even with a complete digital inventory and password manager access, your executor will likely hit verification walls — codes sent to your phone, unrecognized devices, and locked email. Here's how to prepare now.

Even if you've got all your assets logged and an executor has everything in the password manager, it will still be a nightmare for your executor or spouse.

The problem

Most major services no longer rely on username and password alone, even when two-factor authentication (2FA) is turned off. Behind the scenes, sites like Gmail, Outlook, most banks, Amazon, Apple, and most credit card issuers and email providers run a risk check on every login. They look at the device, browser, IP address, location, and login history. If anything looks unfamiliar, they trigger an extra verification step, often called a "security challenge,” "identity verification,” or "one-time code.” This happens even if you have 2FA turned off.

So, what happens when your executor logs into Amazon to close that account, and it sends a code to your email? Then your executor logs into your email, and it sends a code to your phone?

The Email Issue and What to Do

If you use Gmail for email, there is no hope. Your executor must have your phone or proceed through a month of paperwork hassle. For other email hosts, I suggest you email support and find out what their policy is. I use Runbox for my email and so emailed support. Their policy is this:

1. If 2FA is turned on, a recovery code is provided. If the executor has that recovery code and my username and password, then they can log in with my username and password and turn off 2FA with the recovery code. From then on, only the username and password are needed.
2. If no 2FA is enabled, login only requires the username and password regardless of what computer or where you are logging in from.

The Mitigations

1. Be sure your executor has your mobile phone and it works.
2. Turn on 2FA. This is weird. I'm having you turn on 2FA to reduce security! But when you turn on 2FA, it will offer to produce some bypass or recovery codes. One of these, along with the username and password, will bypass the email to the cell phone on some systems. So, just be sure that you turn on 2FA and then also produce the bypass codes and enter those codes in your password manager so your executor has them to turn off 2FA! However, some systems, like Gmail, will still send the verification code to the cell phone even if you've disabled 2FA with the bypass key.
3. If you can, when you turn on 2FA, use your password manager's Authenticator App for 2FA! It is true that the authenticator app in the password manager results in less security than if it were a separate app entirely. After all, 2FA means 2-factor authentication, and if you have it in your password manager, then you don't really have 2FA. I'm assuming you have long, random passwords that cannot be brute-forced and a strong password to your password manager. So, the threat vector of a foreign hacker getting your password manager is close to zero. Both BitWarden and KeePass can act as your authenticator app. This makes it much easier for you and also for your executor with only the tiniest drop in security if your passwords are strong. I'd much rather have my password manager fill in the authenticator's one-time passcode than wait for my phone or email to get it and then type it in myself.

An important note about authenticator apps. They often offer to give you a QR code to take a picture of. Don't do that. The QR code just represents a long string of letters and numerals, which are used to select an entry point in a random number sequence. Always get that long string. Then you can use it with any authenticator app. The same string will work with both KeePass and Bitwarden or KeePassXC or other apps that can authenticate.

A Common Disaster Scenario

Your executor has your Bitwarden username, password, and 2FA recovery code in their password manager, say KeePass. You die. They log into your Bitwarden account, and Bitwarden automatically, and it cannot be bypassed, sends a 6-digit one-time code to your email. But your executor cannot access your email because she doesn't have your email username and password, which are in Bitwarden.

Let's assume you are brilliant and have provided your executor with your email username and password as well. So, she logs into your email, but it recognizes that this is an unrecognized browser, so it sends a one-time code to your phone. Without your phone, this whole process is doomed.

The Phone Is King

The phone is really the lynchpin of everything. Eventually, your executor must have your phone, and it must be working, and the account must stay paid.

Online Password Managers like Bitwarden

Bitwarden and, I assume, other online password managers allow you to designate emergency access. This isn't a problem with KeePass because you aren't logging in. If you have the password, you've got all the accounts and passwords. If you can get access to the email and have the phone, then you should be ok. However, if you and your executor or spouse are using the same online password manager, designating them as the emergency access will give them access, so it is a good idea.