Emergency Access Planning
Emergency Access Plan: How To Prepare Safe Account Recovery
An emergency access plan tells trusted people how to recover important accounts, devices, and documents without scattering passwords, recovery codes, or private keys into unsafe places.
The Short Version
The goal is not to give someone a folder full of secrets. The goal is to write a calm path through the emergency: who is allowed to act, what they should recover first, where protected access lives, and how access gets cleaned up afterward.
Start with the free emergency access checklist if you want a local planning worksheet for accounts, devices, 2FA, and trusted contacts. Use broad labels only; do not enter real passwords, account answers, recovery codes, or private keys.
Do Not Put Secrets In The Plan
- Do not paste passwords, recovery codes, private keys, seed phrases, identity numbers, or vault exports into a web page, chat, email, ticket, or shared document.
- Use the plan for pointers, roles, locations, approvals, and next steps only.
- Keep raw secrets inside the password manager, encrypted vault, device keychain, legal workflow, or sealed offline process designed to protect them.
What An Emergency Access Plan Should Include
Authority
Who is allowed to act
- Name the trusted contact, executor, household member, or backup owner by role.
- Write when they are allowed to use the plan and what proof or approval is required.
- Separate personal, household, legal, and work access so one person does not receive more than they need.
Inventory
What needs recovery
- List categories such as primary email, password manager, devices, 2FA, banking, billing, legal documents, and work admin accounts.
- Record owners, support paths, and storage locations without copying account secrets.
- Mark which accounts unlock other accounts so responders know what to handle first.
Access Path
Where approved people should start
- Point to the password manager, encrypted vault, legal document workflow, or physical sealed instructions.
- Explain how the trusted person verifies identity or gets approval before access is granted.
- Include fallback paths for lost phones, locked laptops, hardware keys, and backup codes.
Aftercare
What happens after access
- Rotate copied credentials, revoke temporary links, remove emergency access, and check account activity.
- Update the plan after device changes, relationship changes, offboarding, estate updates, or recovery method changes.
- Schedule a review date so trusted contacts, phone numbers, and storage locations do not go stale.
Document Pointers, Not Secrets
A useful plan helps someone find the protected access path. It does not duplicate the access itself. That distinction matters because emergency plans are often printed, emailed to lawyers, placed in shared drives, or discussed with people who should not receive raw credentials.
| Area | Document this | Do not write this |
|---|---|---|
| Primary email | Recovery inbox, recovery phone owner, account support path, and who can approve a reset. | Email password, backup codes, security answers, or mailbox contents. |
| Password manager | Vault name, emergency access feature, trusted contact, waiting period, and recovery procedure. | Master password, vault export, recovery key, or copied item list. |
| Devices and 2FA | Device owners, spare device location, authenticator location, hardware-key owner, and carrier recovery path. | Device passcodes, SIM PINs, one-time codes, or recovery code values. |
| Money and documents | Institution names, executor path, billing owner, document location, and professional contact. | Account numbers, tax IDs, identity numbers, card data, or scanned documents. |
| Work or shared access | Service owner, backup admin, offboarding owner, approval channel, and break-glass process. | Shared passwords in the plan, API keys, private keys, or production tokens. |
Write The Policy Before The Emergency
An emergency access plan works better when the rules are already written. Use the password policy generator to define who owns shared vaults, which accounts require 2FA, how exports are handled, what gets reviewed, and when emergency access should be revoked.
For households, the policy can be simple: one trusted contact, one secure vault location, one review reminder, and clear instructions for what to recover first. For teams, include ownership, approvals, break-glass access, logging, rotation, and offboarding.
Decide How Access Should Be Shared
Not every emergency requires the same handoff. A family member may need a pointer to an encrypted vault. A contractor may need a temporary item in a password manager. An executor may need a legal document process. If the access path is unclear, use the secure sharing decision helper before sending anything sensitive.
Practical default
If the recipient, purpose, channel, expiration, and revocation path are not clear, do not share the secret. Share a pointer to the approved recovery process instead.
Emergency Response Steps
- Confirm the situation and authority before opening any account.
- Start with the account that unlocks the rest, usually primary email, device account, or password manager.
- Use approved recovery paths instead of asking someone to send secrets over chat or email.
- Log what was accessed, why it was accessed, and which temporary permissions were created.
- Revoke emergency access, rotate copied credentials, and update the plan once the emergency is over.
Related Emergency Access Tools
Emergency Access Checklist
Generate a local checklist for trusted contacts, vault locations, devices, 2FA, and recovery paths without entering secrets.
Password Policy Generator
Write practical rules for emergency access, shared vaults, 2FA, exports, recovery, and review schedules.
Secure Sharing Decision Helper
Decide whether access should be shared through a vault item, expiring link, offline handoff, or not shared at all.
Add Friction To The Passwords That Should Not Unlock On Autopilot
Passlock stores passwords in macOS Keychain and adds intentional friction with time locks, word challenges, and partner keys. It is useful for sensitive passwords you want protected from impulse, convenience, or accidental over-sharing.
FAQ
What is an emergency access plan?
An emergency access plan is a written set of roles, locations, approvals, and recovery steps that helps a trusted person regain access to important accounts, devices, and documents when the owner cannot act.
Should an emergency access plan include passwords?
No. A safe emergency access plan should not contain raw passwords, recovery codes, private keys, security question answers, document numbers, or vault exports. It should point approved people to the protected systems where those secrets are stored.
Who should have emergency access?
Choose a trusted contact, executor, household member, or work backup who has a clear reason to act. Document what they are allowed to access, what proof or approval is required, and when access must be removed.
How often should I review my emergency access plan?
Review the plan after major account, device, relationship, legal, or team changes, and at least every six months for critical accounts, trusted contacts, recovery methods, and storage locations.