If a user dies, it can be impossible to get access to his/her account and the assets within (files, passwords, photos, ā¦).
Due to 2FA or hardware token authentication (WebAuthN), the second factor can be lost in a fire or accident.
Additionally, this is a hen/egg problem: you need the phone PIN to access the 2FA information to get access to the phone PIN within the Nextcloud Password Appā¦
I have the following idea for a ādigital heritageā app and would like someone with development insight to assess, if this is technically possible to implement as an app, or if some features need to be implemented in the Nextcloud Server project.
Setup process
In the setup process, the user creates a ātrusted personā as digital heir to their data.
Nextcloud creates a complex password that can be printed out and put in a safe place (e.g. a sealed envelope in a safe or a bank vault).
The printed page must include the āstart inheritance processā URL, full names of the user and the ātrusted personā, and the password.
In case of death of the user, the printed page can be used to start the digital inheritance process to log into Nextcloud and access the deceased personās digital assets.
Inheritance process
The ātrusted personā opens the āstart inheritance processā URL and enters the password. This starts the following process:
- The trusted person is presented with a notification, that the inheritance process was started and that the waiting period is ānā days (e.g. 14 days)
- The user is notified by Nextcloud, that a trusted person has started the inheritance process. The user can cancel the process within the waiting period.
Logging in as heir
If the waiting period has passed and the process was not cancelled by the user, the ātrusted personā can log in with the āstart inheritance processā URL using the password and access Nextcloud and the available apps in the late userās name.
Open questions, a list of ideas
- Can Nextcloud be put in a āread-onlyā mode for a user? This should be forced for all installed apps as well, to avoid uploading of false evidence or deleting of certain files or passwords.
- At the start of the āinheritance processā the ātrusted personā can enter a E-Mail address to be informed about the progress of the process (Whether it was cancelled or completed).
- The heir can only download an archive of the files/pictures or passwords.
- The heir cannot share files or upload new files.
- The heir can delete the userās account once all data is downloaded and the inheritance process is completed. (Maybe again with a waiting period?).
- It might be necessary to enable/disable this feature depending on the country of the user due to local laws.
Possible enhancements
- The user can create multiple ātrusted personā accounts.
- The user can assign Folders/Files/Passwords/(Tags?) to one or more ātrusted personā account(s).
- The ātrusted personā only gets access to their assigned digital assets.
- The user can set one folder or file(s) to be released immediately when starting the inheritance process. (e.g. a current photo of the user, cv, self-written obituary, ā¦) to be able to create a obituary or obituary notice.
Technical solutions I have already considered
I considered adding the ātrusted personā as additional Nextcloud user, but the user might have 2FA requirements set by the server and the user might not have full access to all of my data or new passwords. The user would possibly receive Nextcloud notifications to the assigned E-Mail address or phone number.
I also considered adding an application password instead of this process, but this would give the person with the password immediate and unrestricted access to my account or I might āclean upā the unused app password in the security settings.
Additional context
While researching this topic, I found multiple companies that offer ādigital inheritanceā services, but I prefer to use my own infrastructure and have the product open-source. I also have very limited experience in software development.
Vocabulary
The following terms I used above may need some explanation:
- trusted person: a trusted person to the user, a potential heir to their digital assets
- 2FA: two factor authentication (using a phone app or physical hardware token)
- digital heritage: inheritance that consists of digital assets like files, digital photos or videos, passwords to social network accounts (e.g. facebook, instagram, linkedin, tiktok, ), e-mail accounts, digital banking apps or phone PINs, vault combinations, private keys for accessing computers, etc.