About the Author: Adam Zuckerman is an attorney, MBA, and the founder of Buried in Work, which provides resources to simplify estate planning and end-of-life tasks.
A friend recently told me about a week that still makes her tense just thinking about it. Her father died, and the family believed they were prepared. They had a list of his passwords. They knew his bank. They knew the bills that needed to be paid.
And then, nothing worked.
A login required a code sent to his phone, which was locked. The email account needed to reset the password also required a code sent to that same phone. A key account wanted approval from an authentication app on a device no one could open. Even services they could identify could not be accessed, changed, or closed.
The family had passwords, but they did not have access.
That is the shift families need to understand. We are living through a quiet change in how digital life works. The old advice, “collect your parents’ passwords,” is increasingly outdated, often ineffective, and sometimes legally risky. The better goal is to plan for authorized access to systems.
The Evolution of Access
The password used to be the whole game.
In the early days of the digital shift, we treated our online lives like our physical ones. Just as you’d watch the mailbox for bills and bank statements, you learned to monitor email and online portals. The task didn’t disappear; the paper just turned into pixels.
Account access followed a similar path. There was a time when a password was a literal key: if you held it, you were in. Families managed this with “just in case” lists kept in a kitchen drawer or shared with an adult child. It wasn’t a perfect system, but it matched the simplicity of the era.
Then, the walls got higher.
First came password managers, which traded dozens of weak, reused passwords for hundreds of complex ones stored behind a single master key. Then came two-factor authentication, a shift that meant knowing the password was no longer enough. Suddenly, you needed a second “handshake”—a one-time code sent via text or email to prove you were who you said you were.
Next, security moved onto our hardware. We adopted authenticator apps and push notifications that required us to already have a secondary device unlocked and in hand.
Now, we are entering the era of the passkey. Best described as a digital credential tethered to a specific piece of hardware, the passkey begins the final move away from passwords entirely. Access is no longer about what you remember; it is about the device you own plus the biology you carry, which could be a fingerprint or a face scan.
On one hand, this is a triumph. Scammers now face hurdles that are nearly impossible to clear, and our data is safer than ever. But on the other, the “family side” of the equation is breaking. The kitchen drawer is empty, the master list is obsolete, and the “just in case” plan has become a complex IT challenge.
Why Password Lists Are Failing In Real Life
Families often learn this only after a death or medical emergency. They may have a list of passwords and still be unable to do basic tasks.
A bill cannot be paid because banking requires a device approval. An insurance account cannot be updated because the recovery email is inaccessible. A subscription keeps charging because cancellation requires logging in, and logging in requires a code that nobody can retrieve.
In other cases, a family member can technically get in by using a saved device or a known PIN, but doing so may violate terms of service, create disputes among heirs, or raise legal questions if the person did not have proper authority.
The problem is not that families did not try hard enough. The problem is that modern digital life is built around identity verification and secure access paths, not shared passwords.
The Real Goal Is Authorized Access
Instead of asking, “What are your passwords?” the better question is:
“If something happens to me, who has the legal authority and practical ability to manage your digital and financial life?”
That question changes the planning conversation. It shifts families away from password scavenger hunts and toward a system that works under stress.
A modern access plan usually includes:
- Clear legal authority, such as powers of attorney for incapacity and proper executor or trustee designations for after death.
- An organized account inventory so someone knows what exists, where it is held, and what matters most.
- Device access planning, because phones and computers are often the gatekeepers to everything else.
- Recovery paths that are documented, including which email accounts and phone numbers are used for account recovery.
- Use of legacy features and trusted contact tools offered by major platforms, where available.
This is not about invading privacy. It is about preventing a predictable crisis.
Biometrics Will Raise the Stakes Even More
We have reached a tipping point where your finger or your face is no longer just a shortcut. Instead, it is your access. Because passkeys are tethered to the living person, “unlocking” a life often depends on the physical presence of the account holder.
This is by design. The system is working exactly as intended when it keeps the wrong person out.
But families must recognize the heavy trade-off: If no authorized access plan exists, the system is now efficient enough to lock out the right people, too. Without a “digital estate plan,” the security measures that once protected a loved one can suddenly freeze estate administration, complicate urgent caregiving, and leave vital tasks in a permanent limbo.
The solution isn’t to fight the tide of security or return to the days of post-it notes on monitors. The solution is to recognize that in an era of biometric security, access must be delegated before it is needed. We don’t need less security; we need a better plan for when the keyholder is no longer there to provide the thumbprint.
What Families Should Do Now
If you are helping aging parents, or if you are planning for yourself, start with a calmer conversation and a better goal.
Do not begin with, “Give me your passwords.”
Start with:
- “If you were in the hospital for two weeks, how would bills get paid and mail get handled?”
- “If something happened tomorrow, would someone know what accounts exist and who to call?”
- “Who is authorized to act for you, and where is that paperwork?”
- “If your phone is the key to everything, who can unlock it if you cannot?”
The goal is to reduce confusion later, not create discomfort now.
Planning Is a Practical Act of Care
Families do not struggle after a death because they lack love or effort. They struggle because information is scattered and access is blocked.
That is why we need to retire the old advice. Password lists are no longer enough. In a world of two-factor authentication, device prompts, and biometrics, families need something stronger.
They need a system, and they need authorized access.
Because when the moment comes, the question is not whether your family can guess the right password.
It is whether they can move forward without unnecessary obstacles.
If you have feedback, questions, or ideas for future articles or Information Hubs, please contact us. Your insights help us create valuable content.
