App Idea: digital heritage ("Digitaler Nachlass") - technically possible?

If a user dies, it can be impossible to get access to his/her account and the assets within (files, passwords, photos, …).
Due to 2FA or hardware token authentication (WebAuthN), the second factor can be lost in a fire or accident.
Additionally, this is a hen/egg problem: you need the phone PIN to access the 2FA information to get access to the phone PIN within the Nextcloud Password App…

I have the following idea for a “digital heritage” app and would like someone with development insight to assess, if this is technically possible to implement as an app, or if some features need to be implemented in the Nextcloud Server project.

Setup process
In the setup process, the user creates a “trusted person” as digital heir to their data.
Nextcloud creates a complex password that can be printed out and put in a safe place (e.g. a sealed envelope in a safe or a bank vault).
The printed page must include the “start inheritance process” URL, full names of the user and the “trusted person”, and the password.
In case of death of the user, the printed page can be used to start the digital inheritance process to log into Nextcloud and access the deceased person’s digital assets.

Inheritance process
The “trusted person” opens the “start inheritance process” URL and enters the password. This starts the following process:

  1. The trusted person is presented with a notification, that the inheritance process was started and that the waiting period is “n” days (e.g. 14 days)
  2. The user is notified by Nextcloud, that a trusted person has started the inheritance process. The user can cancel the process within the waiting period.

Logging in as heir
If the waiting period has passed and the process was not cancelled by the user, the “trusted person” can log in with the “start inheritance process” URL using the password and access Nextcloud and the available apps in the late user’s name.

Open questions, a list of ideas

  • Can Nextcloud be put in a “read-only” mode for a user? This should be forced for all installed apps as well, to avoid uploading of false evidence or deleting of certain files or passwords.
  • At the start of the “inheritance process” the “trusted person” can enter a E-Mail address to be informed about the progress of the process (Whether it was cancelled or completed).
  • The heir can only download an archive of the files/pictures or passwords.
  • The heir cannot share files or upload new files.
  • The heir can delete the user’s account once all data is downloaded and the inheritance process is completed. (Maybe again with a waiting period?).
  • It might be necessary to enable/disable this feature depending on the country of the user due to local laws.

Possible enhancements

  • The user can create multiple “trusted person” accounts.
  • The user can assign Folders/Files/Passwords/(Tags?) to one or more “trusted person” account(s).
  • The “trusted person” only gets access to their assigned digital assets.
  • The user can set one folder or file(s) to be released immediately when starting the inheritance process. (e.g. a current photo of the user, cv, self-written obituary, …) to be able to create a obituary or obituary notice.

Technical solutions I have already considered
I considered adding the “trusted person” as additional Nextcloud user, but the user might have 2FA requirements set by the server and the user might not have full access to all of my data or new passwords. The user would possibly receive Nextcloud notifications to the assigned E-Mail address or phone number.
I also considered adding an application password instead of this process, but this would give the person with the password immediate and unrestricted access to my account or I might “clean up” the unused app password in the security settings.

Additional context
While researching this topic, I found multiple companies that offer “digital inheritance” services, but I prefer to use my own infrastructure and have the product open-source. I also have very limited experience in software development.

The following terms I used above may need some explanation:

  • trusted person: a trusted person to the user, a potential heir to their digital assets
  • 2FA: two factor authentication (using a phone app or physical hardware token)
  • digital heritage: inheritance that consists of digital assets like files, digital photos or videos, passwords to social network accounts (e.g. facebook, instagram, linkedin, tiktok, ), e-mail accounts, digital banking apps or phone PINs, vault combinations, private keys for accessing computers, etc.

I don’t really agree with the premise that this is needed. A Nextcloud administrator can easily disable a user’s 2FA, reset their password, or directly access their files. They can also reassign a user’s files to another user.

I could see that maybe you want to accomplish this without involving the administrator. Presumably this would be for users who are both 1.) not on a business system where the data belongs to the business, and 2.) are not on a personal system where the administrator can handle it using existing tools. I wonder if that happens often enough to offset the security risk of adding code that can grant access to a user’s account.

The admin can reclaim your entire account already and transfer ownership. User export is in development.

Nextcloud is not a trustless system (the admin can access your data).

I would like to mention the End-to-End encryption not discussed here.

End to End Encryption - Nextcloud
(only working with Nextcloud clients and not with the web interface)

In this case, the data is always lost (if no measures are taken by the user).

e2e is effectively unrelated to what else is discussed here, and didn’t mention it since it would only cause confusion.

  • Reading the linked endtoend page will not help anyone understand it. See github repo
  • that video does not explain the actual ways e2e works, because it has a number of things to develop (already discussed countless times on the forum) and very little development as you’ll find by searching the forum or github.

e2e is not an answer here, nor would it be possible to recover by any method other than possessing the keys. If you need something similar , create an encrypted partition with some other tool that has a stronger lineage (Cryptomator) and give the other person your keys in a keepass database or similar.

Back to digital inheritance

It would be nice if such a process could happen through a GDPR request. Even if you are alive, how does the user retrieve all of their data to begin with beyond making the initial request?

Thank you for the responses.

In my case, I am the Nextcloud administrator of a very small instance used by my family.
Without proper documentation - and access to my “admin” account - it would be impossible for my wife or my children to reset my password or get access to my data.

With e2e encrypted folders it is the same as with any other encrypted data: It is the responsibility of the user to properly document any and all important passwords/private keys/… Otherwise it is impossible to retrieve the data post-mortem.

Even with the GDPR export: If you do not have the master (e2e-) password for the Passwords app or if you lost your encrypted folder’s e2e passphrase, you will just get a lot of “random” encrypted data.

That is why I see the need for another technical solution that the users themselves can manage without intervention of an admin account.

Let me rephrase my main questions:

  • Is there a way for an app to authenticate in the name of a user, regardless of their additional enabled security measures (2FA, external account (LDAP/OAuth2/…), …) ?
  • Is there a way for an app to restrict the actions of this “user” - even if the interactions happens inside other apps (Passwords, PhoneTrack, Bookmarks, Gallery, …) ?

If not, the features that I need as a basis of the functionality cannot be implemented as an app and I will have to look into different ways to “forward” access to my important data.

This is exactly what you will need to do. You need to properly document everything the non-technical person should know. You’ll also want to store your credentials and setup notes somewhere offline (keepass), where the information can be retrieved when your server is offline or you are otherwise unavailable / dead.

GDPR export is not resolving what you want. Instead, you’ll need to document how someone can either take over administrative access, or simply login as your admin user.

Too vague, but you’ll still need to turn over admin access in general. What are the authentication methods? Please start reading the admin documentation and educating yourself by seeing the actual github repos of each app, as linked from their appstore listings.

Also vague. You can restrict access to the apps themselves by adding them to groups under apps section of admin settings. Then add your users to user groups which grants them access to only the app groups you’ve defined.

Create group → Add user → Go to ‘Apps’ → Select the desired App → Select ‘Limit to groups’ (if available) → Select desired group

Then you must document a method for them to retrieve admin access without you, exactly as you’ve described.

  • This is how Nextcloud works. Admin has complete control.

If you want to give them admin access, create a new admin user now and save the account credentials and recovery codes where your family can retrieve them in the event of your demise. Or, record down the access to your personal account.

I just wanted to add that “Digital Inheritance” is more of a concept than a specific technical solution, and there is no “one fits them all” solution. Yes, there are service providers that you can give access to your accounts, Bit Coin wallets, etc. that will then transfer your digital assets and accounts to someone who you authorized. But if you want to manage and host things yourself, you also have to manage this process yourself and document everything yourself. @just has provided good pointers.

The easiest option would probably be to use a password manager where you keep your usernames, passwords and the URLs of all your accounts and then keep the master password somewhere safe and make sure your inheritors get access to it in the event of your demise. This can be an online password manager, or a local password manager like Keepass. With Keepass, you would of course also have to make sure that an up-to-date version of the password database will get passed along.

Another challenge is 2FA. If you are using some sort of 2FA you would also have to pass a long the 2FA tokens or your FIDO stick. But most services including Nextcloud allow you to register multiple 2FA devices and / or you can generate backup codes, which you then could pass along together with the master password.

Example using KeePass XC:

A completely different story is of course, whether someone will be able to continue running your self-hosted infrastructure. In my case only my girlfriend and I are using my infrastructure, and she would of course gain access to my Nextcloud account and also to a backup of all the files. But when I’m gone, she would have to switch to Google or some other SaaS Provider, because there is no way she could administer a self-hosted infrastructure… :wink: