Preparing Your Digital Legacy

MacMad Meeting Topic September 2023

What happens to your digital possessions after your death? How can you make sure that they are available (or not available) to your heirs as you wish?

The same preparations that will help your heirs after your death can help you while you are alive. They can help with disaster recovery after a fire, flood, etc. They can help in the event you have to go to the hospital or are temporarily incapacitated. They can help if your phone or computer is lost, destroyed or just quits working.

Apple ID and iCloud

For Apple users, the obvious place to start is your Apple ID. This single ID controls your Apple email account, your iCloud on-line storage and many other things you may or may not be using.

If your heirs know your Apple ID credentials, they can access your stored photos and documents, read your email, unlock your locked devices and prepare computers and devices for sale. Without your Apple ID, they may be completely locked out of doing any of those things.

Apple has a Legacy Contact Provision that you can use to designate a person to have access to your Apple ID after your death.

How to add a Legacy Contact for Your Apple ID

If someone has died without a Legacy Contact, you may still, in some circumstances, get access to their account.

How to request access to a deceased family member’s Apple account

Make a List

Make a list of your on-line accounts and keep it in a safe place for your heirs. Note that probably every company you do business with has an on-line account. The list can be on paper, or in digital form. Just make sure that your heirs will be able to access the list.

You should make some notes as to the purpose and significance of each account. If you have an account at foobar.biz, will your heirs have any idea if that’s important, or why you had it? In a year or two, will you yourself remember why you created that account?

What’s in the List

A descriptive name, e.g. A fabulous Example Site
The URL of the Web Site, e.g. example.com
Username, e.g. John Doe
eMail address associated with the account, e.g. [email protected]
Password, e.g. monkey123
2FA info, e.g. This site doesn’t support 2FA
Notes, e.g. A social media site primarily for dogs

Note that your Username on a site might be an email address or not. Note that the site probably doesn’t have anything to do with the email domain (me.com, in the example), unless the site is an email provider.

Passwords are case sensitive. For handwritten lists, make sure your writing is clear, and that upper and lower case letters are clearly distinguished. One convention is to underline capital letters. eMail addresses are never case sensitive, and are usually written in all lower case.

Password Managers

A password manager is essentially a place to keep a list of all your accounts, while keeping the passwords safely encrypted. This is ideal information for your heirs, if they can get access.

Legacy access is just another reason to use a password manager.

Popular Password Managers include:

Apple’s Keychain
1Password – (1Password emergency Kit)
Bitwarden – (Bitwarden Emergency Access)
LastPass – (Lastpass Emergency access)

You may be able to establish an emergency or legacy contact for your password manager. You may be able to have shared password vaults with your family members, so that they always have access to those accounts.

Things You Should Keep On Paper

You should keep a paper copy of at least your most important accounts and passwords. This would likely include your password manager and passcodes to your devices. You should include backup 2FA (2nd factor Authentication) codes, if you use 2FA for those accounts. Don’t forget to mark on the 2FA codes exactly which service and account they are for. Put all these papers somewhere like a safe or safety deposit box.

eMail Accounts Are Important

You might think that your email is unimportant — just a pile of silly memes and spam. But your email is often the key to accessing your other, more important, accounts. Most accounts require an email address to sign up. If you forget your password (or your heirs don’t know it), the forgot password password recovery process uses your email to reset your password.

This is why you should use strong passwords and good security on your email accounts, and also why you should make sure your heirs can get access.

Keep accounts separate from your spouse

Death is another good reason not to use shared email and other accounts. You don’t want your account to be closed because your spouse has died.

Your Phone is Important

Your phone is another way to access your accounts. The account sign-on or recovery process often includes a text message or phone call with a sign-in code. If you or your heirs lose access to your phone, that process will be stymied.

Apps on your phone are often the easiest way to access your accounts. If you have authenticator app(s) (for 2FA codes) on your phone that you use to sign in, how will your heirs sign in without access to your phone?

Google, LastPass, Microsoft and others have stand-alone authenticator apps.

The Apple Wallet App is probably only accessible on your iPhone or Apple Watch. Your heirs might need that to pay the credit card bills.

Precautions

Back up your iPhone periodically, either to your computer, or to iCloud.
Make sure your heirs can find your iPhone passcode.
Consider adding your spouse’s fingerprint or face ID to your device

If you need to restore a phone because of a forgotten passcode, almost everything will be restored, except Authenticator App data, and the Apple Wallet.

Other Accounts

Every web site and company will have its own methods for account security and recovery. There are a few things you can do to make account recovery easier for you and for your heirs.

Establish backup email addresses, and backup telephone numbers if the site supports them. Add your trusted spouse’s phone, for example as a secondary method of receiving login codes.

Similar to your Apple ID, your Google account is multifaceted. It governs Gmail, Google Photos, Google Pay and Google Drive (and more). Many people have important documents and precious photos in Google Drive and Google Photos.

If you can’t or don’t want to provide credentials to your account to your estate, you can set up a policy with the Inactive Account Manager. You can specify what happens to your Google account when it becomes inactive for a specified time — presumably when you have died. You can give access to specified people, and/or specify that your account is to be deleted.

Many accounts have no legacy or inheritance feature. The survivors have to go through a process with a death certificate or letters of administration to gain control of the deceased account.

What’s Most Important to Your Heirs

Where’s the money?
How can I get access?
Where’s the tax information for final IRS return?
Where are the family photos?
How can I delete or close the account?
How can I sell the device?
How can I cancel the subscriptions?

Other Things to Consider

Financial Accounts

Banking
PIN
Investment
Insurance
Cryptocurrency wallets and exchanges
PayPal
What will your heirs need in order to pay all the bills?
Retirement accounts
IRS.gov, ID.me accounts. Heirs need to file your final tax return.

Home

Alarm Codes
Keypad codes (door locks)
Safe combinations
Websites for alarm systems
Solar generating systems
Home Monitoring services

Cars

Pin and Keypad codes (yes, some cars have these)
On-line account credentials (yes, some cars have these)
SiriusXM subscription
Dashcam account
SunPass account (toll transponders)

2FA Keys

Physical Keys, (Yubikey)
2FA Apps
BACKUP CODES – make sure you have printed out backup 2FA codes for your accounts and stored them safely

Other Companies & Web Sites in General

Frequent Flyer Miles, Travel Points (can be valuable) Airline miles – often not “officially” transferable, but can be if you have the credentials
do you have an email account at your ISP that you use?
Genealogy – you did it for your heirs, right?
Access to family tree
Access to DNA test results
Amazon
music, photos, videos, books

What would your heirs need in order to sell your computer?

Sign-On Password
Administrator Password
Firmware Password
File Vault Unlocked
Apple: What to do before your sell, give away, trade-in or recycle your Mac

iPad and iPhones, Apple Watch

passcodes
voice mail code
Apple Article on Preparing iPad or iPhone for Sale, give-away, etc.

Digital Media (usually can’t be officially transferred)

Purchased Music
Purchased Movies & TV Shows
Purchased Software (Software Licenses)
Purchased eBooks

Social Media Accounts

How your heirs might notify folks of your passing
Heirs might want to close the account(s)
Access to photos stored on-line
If you didn’t use your real name/birthday on FB or others, your heirs might not be able to delete or memorialize the account because the details on the death certificate don’t match.

Clubs and Organizations

Club accounts
Webmaster signons
Treasury accounts
Domain name registrar accounts

Introducing Passkeys

Why are they better than passwords?

In the coming months, you will probably change how you sign on to your favorite web sites.

Passkey support is coming to your devices and web sites to provide a sign-on process that is both more secure and more convenient than the familiar but annoying username and password system.

Passkeys were developed and supported jointly by Google, Apple and Microsoft through the FIDO Alliance.

Passkeys are superficially similar to the Logon with Apple or Logon with Google buttons you may have seen on some web sites. Passkeys, however, represent a single, unified standard logon mechanism that a web site can implement once, which then supports all platforms. The buy-in from major tech companies means that passkeys will probably be widely adopted.

This short video from iThemes (2:58) gives a quick overview of Passkeys. Although it is specific to WordPress and iThemes Pro, most of what is described is general-purpose.

This video from the Apple Developer Conference gives a good overview of passkeys in the first 7:30 or so. After that, the video goes deep into developer technical details.

To use passkeys to logon to a site, passkeys must be supported by both the web site and by your device. For a device to fully support passkeys, it must have biometric authentication. On Apple devices, that means Touch ID or Face ID.

However, you can use your phone (which has Touch ID or Face ID) to logon to a web site on a computer that lacks biometric authentication. You will simply scan a QR code presented by the site with your phone, and passkeys can log you in.

Biometric authentication is used only to identify you to your device. Your face or fingerprint is never transmitted to the website or outside your device.

To sign in, you will first enter your username or email address as usual. But, instead of entering a password, you will simply click Login with Passkeys, and your device will log you in securely. Since you don’t have a password, it can’t be stolen, either from you, or from the web site.

Once you have set up a passkey for a site on one of your Apple devices, it will be automatically available on your other Apple devices through iCloud. Remember, that it can only work on newer devices that have Touch ID or FaceID.

At present, there is no way to share passkeys between platforms, so your Passkeys created on an Apple device won’t easily transfer to your Microsoft Windows PC, or vice versa.

PassKeys is already supported in current versions of iOS (iOS 16.x) and MacOS 13 (Ventura). Microsoft’s implementation of passkeys is part of “Windows Hello”.

Right now, just a few web sites support passkeys, but the list is growing.

If you want to try passkeys yourself, there is a demonstration web site which lets you try creating a passkey and logging on with it.

Password Managers

Whatever password manager you are using, don’t get rid of it yet. Some sites will continue to use passwords. Passkeys will work in conjunction with Apple’s own password manager, Keychain. The popular password managers, Bitwarden and 1Password will probably have some sort of support for passkeys in the future.

If you are in the habit of writing your passwords down in a little black book, all you will need to record is the name of the website, your username or email, and “Use passkeys”. Anyone looking at that book would not be able to logon as you, because they won’t have your device or your face or fingerprint.

The same (lack of) information is probably what would be recorded in a password manager app. Again, it’s nice that there is no password for anyone to steal.

Keychain for Passwords

Here are the slides from our Oct 19, 2021 meeting. (PDF)

The topic was using Apple’s Keychain to store passwords.

Hackers vs. Passwords

This is a useful chart to see if maybe you should change your password.

Beware Fake iCloud or App Store emails

There has been a recent spate of phishing emails purporting to come from Apple. Typically they show some sort of a purchase or subscription that you supposedly bought from Apple. As always, DO NOT CLICK LINKS in emails.

If you want to check your account, do so from within iTunes, or by logging in at iCloud.com or Apple.com yourself.

In the email there are some suspicious indicators if you look for them. First of all, the email is not from the domain apple.com.

Second, the mail addresses you as “Valuable Customer”, not by name.

The bad guys expect you to be outraged that you are being charged for something you didn’t order — and that you will rashly click on the link they provided.

I don’t know what happens when you do that. Probably, it is a fake imitation of the Apple sign-in page where your credentials will be stolen. However, it may be some kind of attack that takes place merely by visiting the site.

Be safe out there, folks!

Two-Factor Authentication for Apple ID

Two-Factor Authentication and One-Time Passwords

MacMAD Meeting Topic for June 20, 2017

Your Apple ID is your single set of credentials for everything from Apple, including:

Email
iCloud files, calendars, contacts, etc.
Photos
purchases on the iTunes store
buying hardware on the Apple Store

This is pretty important stuff, right? You don’t want your credentials to fall into the wrong hands!� Until recently, those credentials consisted of only your username and password, which seldom change. If a bad guy got hold of those, he’d have complete access to your Apple identity.

To help prevent that, Apple set up Two-Factor Authentication (2FA).� With 2FA, in addition to username and password, you must also give a verification code. Verification codes are sent to your phone or other trusted device. The verification code is different each time you log on.

Two-Factor Authentication is optional for users. However, you may now be forced to use it if you use certain apps — those which access your iCloud account.

Some apps require access to your files in iCloud, and therefore need your iCloud credentials to do so. This is fine, but you don’t want them to have the keys to your entire kingdom, do you? You don’t want a calendar app to order a new Macintosh, or delete your photos.

To control such apps, Apple now requires them to access iCloud using a One-Time password. This allows them to bypass 2FA, but using a special password which is only useable by that app for limited purposes. Once you give a one-time password to an app, and it uses it, it can never be used again for any other purpose.

You do not need to store or remember one-time passwords. If for some reason you need to re-authorize an app, you can simply generate a new one-time password for it.� Dennis explains how to do all this in these slides from this month’s meeting:

Apple Two-Factor Authentication 2017

VPN – Virtual Private Network Meeting Topic

MacMAD’s October, 2016 Meeting topic is VPNs (Virtual Private Networks). Here are some accompanying links and information.

People generally use a VPN for these reasons:

Security and privacy when using a public network, such as at a coffee shop or hotel.
To allow access to online content which is subject to geographical restrictions.
To allow remote access to a private local network such as your home network or your employer’s network
Provide privacy at home (prevent your ISP from knowing what you are up to)

VPN Features to Look For

Automatic connection and reconnection – prevents accidental leakage of unencrypted data
Choice of VPN endpoint – What country would you like to be in today?
Self Installation/Configuration – Avoids lots of technical settings

Client and Server

VPNs follow a client-server model. The client app usually runs on your computer or portable device. The server can be either a commercial VPN service or you can run your own VPN server at home on your router (some models) or on another computer. There are many (hundreds) commercial VPN providers. The following list is not at all complete.

Commercial VPN Providers

VPN Software

OpenVPN Client Software
Tunnelblick – free, open source graphic user interface for OpenVPN on macOS

VPN Protocols

Your choice of protocol will probably be determined by what your server or provider supports.

PPTP – (Point-to-Point Tunneling Protocol) Old, do not use. No longer supported in macOS Sierra. or� iOS 10.
L2TP – (Layer 2 Tunneling Protocol) needs IPSec or similar to be secured.
IPSec – (Internet Protocol Security) A modern protocol.� Can work in conjunction with L2TP.
IKEv2 – (Internet Key Exchange version 2) A modern protocol.

Here’s the MacOS VPN Dialog in System Preferences

July 2016 Security & Backup Meeting Slides

We’re trying something a bit different this meeting. So you don’t have to take notes, we’re putting the presentation on-line. And we’re doing it the Apple Way – using iCloud. You should be able to view these links on Mac or iOS. They are Keynote documents.

Here are the slides for tonight’s meeting as a shared iCloud (Keynote) document.

And here are the slides from November 2015’s Security presentation.

After clicking one of these links, you will be able to view the slides in your web browser, or you can download and open a copy in Keynote. Here’s what that looks like in iOS:

Macintosh Security

Here are the slides from October’s meeting on Macintosh Security.

MacMAD MacOS Security from bos45

Wireless Emergency Alert System Flops Badly

If it hasn’t happened to you yet, it will soon. Your phone or someone’s near you will alarm loudly, and you will see an important-looking message. �This is the government-mandated Wireless Emergency Alert system in action.

This is an alert I received this morning on my android phone:

A system like this depends on user acceptance to function properly. So far, the main reaction of users has been “How do I turn this off”? Why?

There are several serious problems with this particular alert and the system in general. First of all, the alert on Android is presented as a one-time modal dialog box. You have to press OK before you can do anything else. Most people will do that within seconds. On my phone, at least, once OK is pressed, the alert is gone. You have no way to retrieve or review it. How many people will remember the license plate number even a minute later?�The only way I could capture the alert dialog was to take a picture of it with another phone. I �understand that on iOS, the alert remains visible in the notification center. Can anyone confirm that? Two points for Apple if so.

I have no confidence in a system where I cannot review past history. Alerts should remain reviewable for some time, even if they are cancelled, if they appeared on my phone once, I should be able to look at them again.

The second problem is that the alert does not say who sent it. My first question on seeing one of these for the first time was, what app generated this alert? I had installed some weather apps, maybe it was one of those. I was vaguely aware of the WEA system, but wasn’t sure if that was the source of the alert I was seeing. The question of who sent the alert also applies at the agency level. Did this come from the governor, the corner police station, who?

Problem number three, the alert doesn’t say what to do. What do I do if I see the missing pickup? The weather alert said to turn on the TV, I believe, which is a little more useful. I can’t check that though, because there is no way to recall past alerts.

The fourth problem, is there is no way to get more information. Any half-baked messaging app will let you click to see a photo or web page. How about some photos of the missing person, the vehicle and the suspect? How about a weather map of the tornado warning area? We get none of that.

Another, less serious, problem is that users are unfamiliar with these alerts. They have never seen them before. I would suggest that in the settings for WEA, there be a button for users to generate a demo alert, just on their own phone, so they can see what the alerts look and sound like.

Ask about these problems, and you will hear that there are technical limitations — the system only allows 90 characters of text. I must say, that’s a pretty bad design. What do you expect from a government design? It needs to be changed. Some high school students could make a better system than this in an afternoon.

WEA (Wireless Emergency Alert) Overview

WEA sends alerts through the cellular system. The alerts are sent only to phones and cell towers in the affected area. The system only operates on relatively new phones. On AT&T, the Apple models supported are the iPhone 4S, iPhone 5, 5C and 5S.

The switches to turn off Amber Alerts and Emergency Alerts in iOS are in Settings/Notifications/Government Alerts. There is still the “Presidential Alert” which cannot be disabled.

I haven’t been able to determine for sure whether WEA alerts are supported on any model of iPad or not. They are not happening on mine which does have cellular.

Links

WEA Overview from CITA

A good blog post about problems with WEA