Dear friends,
Password managers and security tools are designed to be impenetrable fortresses, protecting your most sensitive information with military-grade encryption. This creates a paradox in legacy planning: the very security measures that protect you in life can permanently lock out your loved ones after death unless you plan appropriately.
Your password manager likely contains credentials for dozens or hundreds of accounts, including financial institutions, email accounts, and critical services. Without access to this vault, your family may be unable to manage your digital estate, access important accounts, or even complete basic administrative tasks after your death.
Critical challenges include physical device required - cannot remotely access registered accounts, yubikey pin required for fido2/passwordless - unknown pin locks device, and most users own only one yubikey (no backup key registered). These security layers protect against unauthorized access but can also prevent legitimate access by authorized family members and estate executors.
DeathNote helps you securely document master passwords, recovery keys, 2FA backup codes, and hardware security device PINs. You can provide step-by-step instructions for accessing your password vault while ensuring this information remains encrypted and protected until properly verified death triggers delivery to your designated contacts.
Consider creating a layered access plan: emergency contacts who can access critical accounts immediately, trusted executors who receive full vault access, and detailed documentation of what's stored where. This planning ensures security during life while enabling access when needed.
Platform Overview
Primary Use
Multi-protocol authentication (FIDO2, U2F, OTP, Smart Card, OpenPGP), passwordless login, 2FA for high-security accounts
Account Types
Supports 100+ services: Google, Microsoft, Apple, GitHub, Coinbase, Kraken, Dropbox, password managers, SSH
Data Types
Physical USB device (YubiKey 5 Series, YubiKey Bio, Security Key Series), device PINs, OTP slots, FIDO2 credentials, smart card certificates
Access Challenges
- Physical device required - cannot remotely access registered accounts
- YubiKey PIN required for FIDO2/passwordless - unknown PIN locks device
- Most users own only ONE YubiKey (no backup key registered)
- YubiKey supports 25 FIDO2 credentials max - may be full, preventing new registrations
- NFC vs USB-C vs USB-A - family needs compatible device to use key
- YubiKey cannot be cloned or backed up - each key is unique
- Lost YubiKey without backup = permanent account lockout
Inheritance Guidance
Step 1: Purchase and Register Two YubiKeys for Every Account
YubiKey's #1 inheritance failure: Users buy one key, not two. Single key = single point of failure. YubiKeys cannot be cloned. ALWAYS register 2 keys per account.
Step 2: Configure and Store YubiKey PIN Securely
YubiKey 5 and YubiKey Bio require PIN for FIDO2/passwordless authentication. PIN protects key if stolen but blocks family if unknown. Secure storage critical.
Step 3: Document YubiKey Storage Locations
YubiKeys are small USB devices easily lost or overlooked. Physical location documentation is critical for inheritance.
Step 4: Maintain YubiKey Account Inventory
Create master list of every account protected by YubiKey so family knows which accounts require the physical key.
Step 5: Store Recovery Codes as YubiKey Backup
YubiKey should NEVER be sole access method. Always enable recovery codes as failsafe. Lost YubiKey + no recovery codes = permanent lockout.
Related Resources
Hardware Security Key Handoff
General hardware key inheritance guidance applicable to all FIDO2 keys
2FA Recovery Codes Legacy
Critical backup codes for YubiKey-protected accounts
GitHub Account Handoff
YubiKey commonly used for GitHub SSH and account protection
Crypto Wallet Legacy
YubiKey often protects crypto exchange accounts (Coinbase, Kraken)
How It Works
Learn how DeathNote automates digital legacy delivery including YubiKey instructions
Frequently Asked Questions
Can I clone my YubiKey so my spouse has an identical backup?
No. YubiKeys cannot be cloned due to hardware security design. Each key generates unique cryptographic credentials. However, most services allow you to register multiple YubiKeys (usually 2-10 keys per account). The solution: Register BOTH your key and your spouse's key on the same accounts. This way, either key works for login, and if one is lost, the other provides access. Always register 2+ keys per account.
What's the difference between YubiKey 5 NFC and YubiKey 5C NFC for inheritance planning?
YubiKey 5 NFC has USB-A (traditional USB), YubiKey 5C NFC has USB-C (newer ports). Both have NFC for mobile phone tap. For inheritance: Choose based on family's devices. If they use newer laptops (MacBook, modern Windows), get 5C NFC. If they use older devices, get 5 NFC. Best flexibility: Buy one of each (primary + backup) so family can use whichever works with their device. NFC works on all modern phones regardless.
My YubiKey is PIN-protected. Can my family reset the PIN if they forget it?
Only if they know the current PIN. YubiKey PIN reset requires entering the current PIN first - catch-22 if forgotten. After 8 failed PIN attempts, YubiKey locks permanently. This is why PIN storage is critical: Write PIN on paper, store with backup YubiKey in safe, document in estate plan. If PIN is lost AND YubiKey is locked, your only option is recovery codes for each account. YubiKey itself becomes unusable.
Should I use YubiKey for passwordless login or just 2FA for inheritance purposes?
Use YubiKey for 2FA (second factor) rather than passwordless for easier inheritance. Passwordless requires PIN every time and makes YubiKey the ONLY access method. 2FA keeps password as primary (stored in password manager for family), YubiKey as second factor (with recovery codes as backup). This gives family 3 access paths: 1) Password + YubiKey, 2) Password + recovery code, or 3) Password + backup YubiKey. More access paths = easier inheritance.