The big problem with this that I don't have a good answer to... we've been told to use a password manager and have it secured with a long passphrase... and now we write down the username/passphrase on a piece of paper or somewhere else easily accessible - how to adequately secure that?
Maybe encrypt the passphrase under an m of n scheme and distribute to family & friends that you can trust to not collaborate unless you are truly incapacitated?
I've been (lightly) thinking about this with regard to digital identity.
One of the few use cases that I find very compelling with regard to blockchain/web3 tech is as a means of ID/auth much in the same way that many sites now offer options to log in with FB/Google/etc.
One big obstacle (I imagine, I haven't really looked into this that far) is that of the password reset. Some non-trivial amount of people will forget the passwords to their identity tool, and in this scenario there's no central power with the capability to reset it for them.
The simplest option is to designate trusted friends who you could delegate authority to in order to perform some multi-sig reset, but then there's the issue of a FriendCoup. If you strike it big and turn on or ignore your friends, there's nothing stopping them from getting together and performing a takeover. Even if there are individual objectors, because it's blockchain, everything's public, and these are identity wallet contraptions, everyone knows who the hold out is and can lean on them or find some way to get their password, etc.
Even outside of a FriendCoup scenario, a FedCoup scenario where the government just leans on your buddies to grant them control is pretty plausible.
So I guess the question is, what sort of strategy for this is FriendCoup/FedCoup resistant but still grants the necessary amount of delegated power?
Not entirely relevant to the above, as doing this pen and paper for a password manager is a little harder for outsiders to game given that the holders aren't public, but still a question I've been batting around. Curious about anyone's thoughts/ideas or any existing work in this space.
Edit: After thinking about this for an extra minute, if it's not time sensitive a deadman switch could probably do it. If your friends perform the multi-sig and you haven't logged in in X days, then and only then will the reset occur, so you can void an attempt. That said, falls down on the FedCoup scenario since you'd presumably have restricted access to the internet.
I think that blockchain is not the solution here. The fundamental problem is trust: do you or do you not trust n other parties with the information required to take over your digital life, no amount of fancy crypto engineering will get around that.
No amount if crypto will stand up to a Russian mobster with a crowbar and some creativity, like the xkcd https://xkcd.com/538/.
What you need is to develop a threat model and then select an appropriate solution that matches your threat model. If the threat is the KGB might torture me and my buddies, then kill switches are appropriate. Otherwise it’s no solution.
Perfect security doesn’t exist, it’s all about tradeoffs.
I think blockchain keys could work for identity, but you need another layer for authentication. Perhaps a smart contract could be used to generate and authenticate one time access codes?
That has failure modes, though, especially death on one of the N (might seem unlikely but I just had to help a friend unfuck a family member's finances after he died in a car accident next to the one trusted associate who had all his logins saved in an account locked behind 2FA secured by his iPhone which he didn't leave the unlock code to with anyone). I know there are other schemes where you only need M of N to turn the key, but really...
Leave. Your. Passwords. With. An. Attorney. And also your phone unlock code. A reputable attorney (preferably attached to a big firm) won't lose your stuff, and if they die or go out of practice they will have procedures in place to make sure you are set. This is not a situation where you want some clever DIY scheme that might fail and leave your loved ones scrambling to sort your finances when they are already devastated and mourning.
Better use three attorneys on at least two continents, one of them in the other hemisphere. Otherwise a single medium-size asteroid could easily wipe out all your backups and what then.
Actually LastPass has a solution to this they call Emergency Access. You set up loved ones, heirs, colleagues etc with their own LastPass account, and at any time they can challenge your account. After a given (variable) waiting period, if you do not cancel their challenge, the credentials in your account revert to their account. The credentials are inherited. In the case of your own cheat sheet (I have something similar), you can save the actual cheat sheet as an attachment to a Note saved in LastPass. Every now and then we test it, and it works great.
Leave it in escrow with a lawyer, along with a copy of your will.
If you are super cautious, leave an encrypted copy (or half the passwords etc) with one lawyer/escrow, and have a separate lawyer/escrow hold the decryption key/other half of the passwords etc. Along with easy instructions on how to decrypt!
End of the day, if I die at an old age, my heirs will also be old and possibly not into computers/tech. I prefer a simple approach that requires minimum skill/effort on their part aside from presenting the relevant death certificate/paperwork to the lawyer.
We don't have to outlive you! If the service shuts down while you're alive, we'll send you an email well in advance so you can switch services. That said, the service has been running successfully since 2007.
In the spirit of the OP, and finding an enduring solution... something like the deadmans switch should be implemented in a de facto utility like browser password recovery but extended with a weighted audience tied to the time elapsed. Why not have that same function that keeps up with your authentications notify X audience in Y time - 30 minutes even or 30 years with an emphasis on how perpetual. Reasonably I say we all got a good hundred years to plan for.
What about keeping the passphrase in a safe deposit box in a bank? In the best case, you have a trusted person with whom you can share access to the box. Otherwise your executor or a court could gain access, but at least the info wouldn't disappear.
Maybe encrypt the passphrase under an m of n scheme and distribute to family & friends that you can trust to not collaborate unless you are truly incapacitated?