Password and Account Handoff: Giving Family Legal Digital Access

When someone dies, the family discovers a paradox: every important account is digital, and almost none of those accounts can be legally accessed without the original owner. Federal computer fraud laws and provider terms of service treat unauthorized access as illegal even when the person attempting it is your spouse or executor. The solution isn't a sticky note with your master password. It's a layered handoff plan built around password managers, provider legacy tools, and explicit legal authorization in your will.

Here is how to set it up so your family inherits the keys legally and securely.

The legal landscape

Two federal laws govern digital access after death:

• **The Computer Fraud and Abuse Act (CFAA)** criminalizes accessing accounts "without authorization." Provider terms of service typically define authorization narrowly — meaning even your spouse logging into your email after your death may technically be violating federal law.
• **The Revised Uniform Fiduciary Access to Digital Assets Act (RUFADAA)** has been adopted in 47 states. It creates a hierarchy: first, the provider's own online tool (Google Inactive Account Manager, Apple Legacy Contact); second, explicit authorization in your will or trust; third, the provider's terms of service.

The practical implication: your executor cannot legally access most accounts without either (a) you setting up the provider's tool in advance, or (b) the will containing explicit RUFADAA authorization language. Both are essential.

Layer 1: A password manager with emergency access

The foundation of any digital handoff plan is a password manager. Every modern password manager (Bitwarden, 1Password, LastPass, Dashlane, Keeper) offers an emergency access feature. The mechanic:

1. You designate one or more emergency contacts 2. The contact requests access 3. A waiting period (you set it — typically 24 hours to 30 days) begins 4. If you don't deny the request during the waiting period, the contact receives access to your full vault

The waiting period is the security: if your account is compromised, you have time to deny the request. If you're incapacitated or dead, the contact receives access without further action.

Set this up today. It takes 10 minutes. Designate your spouse, executor, or a trusted adult child. Set a reasonable waiting period (3–7 days is common). The emergency contact does not need to be a paying password manager user themselves — they create a free account just to receive access.

Store the master password recovery key in a sealed envelope in your fireproof safe. Without it, even the emergency contact may be unable to fully recover the vault if the underlying account is corrupted.

Layer 2: Provider legacy tools

For the major platforms, set up the built-in legacy or memorialization features:

### Google Inactive Account Manager

Settings in your Google account let you designate up to 10 people to be notified after a period of inactivity (3, 6, 12, or 18 months). You can also choose which data to share — Drive, Gmail, Photos, YouTube — and whether the account should be deleted after the inactivity window. Path: myaccount.google.com → Data & Privacy → Make a plan for your digital legacy.

### Apple Legacy Contact

In iPhone settings: Apple ID → Sign-In & Security → Legacy Contact. The legacy contact receives a unique access key. With that key plus your death certificate, they can request access to your iCloud data, photos, messages, notes, and most account contents.

### Facebook Legacy Contact

Settings → Memorialization Settings. You can designate one person to manage your memorialized account, post a final message, accept friend requests, and download a copy of your timeline.

### Microsoft Account

Microsoft does not currently offer a legacy contact tool. Family members can request access through Microsoft's Next of Kin process with a death certificate and notarized affidavit, but the process is slow. Store Microsoft account credentials in your password manager.

### Banking and financial accounts

Most banks and brokerages don't offer legacy contacts in the password-manager sense. Instead, name beneficiaries (POD or TOD designations) on the accounts themselves — the beneficiary becomes the account owner outright at death with just a death certificate, no probate or password needed.

Layer 3: Explicit RUFADAA authorization in the will

Even with password managers and legacy contacts set up, your will should contain explicit RUFADAA language authorizing your executor to access your digital assets, content of electronic communications, and digital accounts. Without this language, the executor may be unable to enforce access where the provider resists.

Sample language (your attorney should adapt):

> I authorize my executor to access, manage, and control any digital assets I own or have rights to, including the content of any electronic communications, in accordance with the Revised Uniform Fiduciary Access to Digital Assets Act as adopted in my state of residence. This authorization extends to all online accounts, cloud-stored files, cryptocurrency wallets, and any other digital property.

The Uniform Law Commission's RUFADAA page lists which states have adopted the law and any state-specific variations.

Layer 4: A digital asset inventory

The family can't access what they don't know about. Maintain a list — separate from the password manager — of every digital asset and where it lives. Include:

• Email accounts (primary, secondary, work)
• Cloud storage (iCloud, Google Drive, Dropbox, OneDrive)
• Photo and video libraries
• Social media accounts
• Cryptocurrency holdings (exchange-held vs. self-custody, wallet types, hardware wallet locations — but never seed phrases themselves)
• Domain names you own
• Business websites and hosting accounts
• Subscription services (streaming, software, professional, financial)
• Payment apps (PayPal, Venmo, Zelle, Cash App, Apple Cash)
• Loyalty programs with significant balances

This inventory lives in your letter of instruction or family emergency binder.

Cryptocurrency: the hardest case

Cryptocurrency held on an exchange (Coinbase, Kraken, Gemini) can be inherited via the exchange's death process with a death certificate, court order, and proof of beneficiary. Slow and expensive, but possible.

Cryptocurrency in self-custody (a Ledger, Trezor, or software wallet) is gone forever without the seed phrase. Period. There is no recovery, no customer support, no court order that helps.

The handoff for self-custody crypto requires the seed phrase to reach the heir without ever existing on paper your family can be tricked into surrendering or hackers can intercept. Standard approaches:

• Steel plate engraving stored in a fireproof safe with the location referenced in the letter of instruction
• Split the seed across multiple physical locations using Shamir's Secret Sharing
• Multi-signature wallets where the heir is one of two or three required signatories

Never email a seed phrase. Never store it in the cloud. Never write it in the letter itself. The Cryptocurrency Inheritance Planning industry has emerged specifically around this problem; for significant holdings, professional inheritance services are worth the cost.

Two-factor authentication

The biggest practical blocker for executors is 2FA. Even with the password, the executor cannot log in without the second factor — usually an SMS code or authenticator app on the deceased's phone.

Three preventive moves:

• **Store backup codes.** Every 2FA-enabled account offers one-time backup codes during setup. Print them and store in your safe.
• **Use an authenticator app that syncs.** Authy, 1Password, and Bitwarden authenticator features sync the 2FA secrets to the password manager — so the emergency contact who receives vault access also receives the 2FA codes.
• **Keep the phone accessible.** The executor will physically need the deceased's phone for several weeks of authentication challenges. The phone's lock code should be in the password manager or sealed envelope.

Email is the master key

Email accounts deserve special attention because they are the recovery vector for almost every other online account. Whoever controls the email can reset passwords for almost everything. This is also why email accounts are the most vulnerable target after death — give one trusted person access, and they have functional access to the entire digital footprint.

For most families, the spouse or executor should have email access via the password manager. Other relatives generally should not. Email access is not casual — treat it as you would access to a checkbook.

Test the system

Most families set up the layers and never verify them. Twice a year, test:

• Can the emergency contact actually request access through the password manager? Walk them through the request flow (don't complete it).
• Are the provider legacy tools still set up? Settings change after platform updates.
• Is the letter of instruction current with your latest accounts?
• Does the executor know the safe combination and recovery key location?

A handoff plan that hasn't been verified is a plan that probably has a broken link somewhere.

What VoiceWill™ does

VoiceWill™'s voice intake walks through digital asset inventory as part of the will conversation, includes RUFADAA authorization language by default, and stores your digital handoff plan in the family vault with credentialed family access tied to verified identity and death certificate processing.

The bottom line

Without setup, your family is legally locked out of your digital life — and the technical workarounds put them at risk of federal computer fraud charges. The fix is four layers: a password manager with emergency access, provider legacy tools, explicit RUFADAA authorization in your will, and a digital asset inventory in your letter of instruction. The setup takes an afternoon. The cost of skipping it is your entire digital legacy disappearing.