How To Keep Your Security Blanket Up-To-Date

After having a security blanket set up, you’ll want to follow these suggestions to keep it up-to-date and secure.

Routine (at least yearly)

  • Review your account passwords, whether due to data breaches or reuse, you’ll want to make sure your TLA passwords are as strong as possible, and fix up EAs and then RAs when possible. Using a Password Manager helps you detect issues, and make it easy to identify accounts that need updating.

  • Review your digital map, if there’s a new change (i.e. TLA or EA addition or modification) you’ll need to send new cards to your contacts. As long as it’s not a TLA you should be able to mail to the contact, without the need for a meet.

  • Remove unused accounts. Reduce your surface area.

  • Test to make sure your trusted contact still has access to your account.

  • Review security best practices, and upgrade when possible. Always prioritize your best security practices for accounts in the TLA > EA > RA order. For example, switching from SMS MFA to Authenticator App MFA.

  • Keep a blank set of cards at your primary desk, so you can make changes to your blanket when necessary.

Wear and Tear Scenarios

Actions to take under the following circumstances:

Changing an account password

If you’ve been following best practices, then no action is needed for accounts that use a Password Manager, it will update automatically. If the account is not using a Password Manager, you will need to update the card for that account. If it’s a TLA, you should send the updated card to all backups, if it’s an EA, you can wait to do it for a batch update at the end of the year, as part of your routine.

Creating a new account

Similar to a password change. If the account is managed by a Password Manager, then there’s no action needed. For new EA accounts, update your digital map, write a new card, and send it to your backups with a batch update at the end of the year. For a new TLA, send it to the backups as soon as you can.

Adding another device or tool for account login?

Similar to adding a new account, you will need to update your digital map, make a new card, and update any other cards that now depend on this device/tool. Typically a new device/tool should be sent to backups as soon as possible, but it depends on its overall criticality.

You’ve been notified that your account has been accessed from an “unrecognized” location

Given that you have created security blanket backups, it’s possible that they can be physically compromised. The good news is that most TLAs have automatic notifications for unrecognized access patterns, but it’s up to you to act on them. Make sure to take these warnings seriously, and confirm whether your trusted contacts have accessed your account. If you suspect a compromise, act quickly and notify the TLA about a security issue and lockdown any other TLAs.

In the event you use a security blanket backup for recovery

This is great and exactly what the security blanket is for. Most of the time, no further action is required. If backup codes were used make sure there are more than half remaining, since they can only be used once. Otherwise, consider rotating the backup codes and sending out updated cards for that account.