OpenID Foundation urges standards for digital estates

The OpenID Foundation is pushing for common digital-estate standards, arguing that online identity systems still lack reliable ways to manage accounts and data after a user dies or becomes incapacitated.

A new whitepaper, The Unfinished Digital Estate, reviews how major online services handle death and posthumous access. It concludes that authentication and authorisation tools have matured, but death verification and posthumous delegation have not.

The report was co-authored by Dean H. Saxe, Mike Kiser, Eve Maler, and Heather Flanagan. It was produced by the OpenID Foundation's Death and Digital Estate Community Group, which Saxe founded and co-chairs.

Digital accounts and connected services increasingly outlive their owners. The paper cites email, cryptocurrency holdings, cloud photo libraries, social media profiles, and connected devices as common examples. It argues that the lack of consistent approaches forces families, executors, and service providers to navigate incompatible processes across platforms and jurisdictions.

Fragmented processes

The authors argue that many platforms still treat death as an exception rather than a predictable part of the user lifecycle. Some large technology firms offer "legacy contact" tools or similar features, but adoption remains low. Other services tell families to use the deceased person's credentials, which can conflict with platform terms and local law.

The report also highlights gaps in government approaches to digital estates. Some regions provide limited fiduciary access rights, while others defer to platform policies. Many jurisdictions focus on awareness campaigns rather than enforceable frameworks, leaving cross-border questions unresolved when data, assets, and service providers span multiple countries.

Best known for OpenID Connect, widely used for signing in to online services, the OpenID Foundation frames the digital-estate problem as a standards challenge rather than a single-vendor product issue.

Among the technical barriers is the lack of a consistent, verifiable way to confirm death online. Death certificates vary widely across countries and systems, can take 10 to 12 days to issue, and are vulnerable to spoofing. The report says there is no common digital standard for death records that online services can rely on.

It also raises a broader challenge for identity systems built around user authentication: a deceased person cannot authenticate, undermining traditional consent flows. The paper asks how users can delegate authority in advance in a way that remains verifiable and auditable after death. It also questions how systems should handle incapacitation, which may not have a single clear trigger.

Shifts in consumer authentication add further complications. The report points to the spread of passkeys and credential managers and asks what happens to those tools when a user dies. It argues that current approaches do not map cleanly to estate administration, particularly when access depends on a device, biometric checks, or platform-bound recovery mechanisms.

AI risks

The authors also point to new risks from generative AI. The paper says AI can create posthumous avatars and deepfakes of deceased individuals, raising questions about consent, control, and the posthumous use of a person's likeness. Legal disputes have already emerged in some cases.

Cultural expectations are another barrier to a single set of rules, the report argues. Views differ on privacy, mourning, and remembrance, blurring the boundaries between property rights, identity, and personal data.

Saxe said the issue is handled inconsistently across services and will become harder as new technologies proliferate.

"This issue affects every internet user eventually, yet platforms treat death as an edge case. We have standards for authentication, authorization, and digital consent. We need the same coordinated approach for what happens when users die, before AI deepfakes make this even more complicated," said Dean H. Saxe, Founder and Co-Chair, Death and Digital Estate Community Group, OpenID Foundation.

Sector roles

The whitepaper sets out suggested workstreams for policymakers, technology platforms, and standards bodies. For governments, it calls for clearer recognition of digital assets in inheritance law, more defined rules on privacy and identity rights after death, and frameworks that address cross-border digital property.

For platforms, it calls for approaches that move beyond password sharing, with verifiable processes for death and incapacitation. It also urges user controls over posthumous data use and systems that support clear consent, revocation, and auditability.

For standards bodies, it outlines interoperable delegation protocols, verifiable triggers for incapacity or death, and trust frameworks for estate services. It adds that any approach must account for cultural diversity and differing legal regimes.

The OpenID Foundation has also produced a companion Digital Estate Planning Guide for individuals and advisers. The guide notes that planning alone often fails when service providers lack interoperable systems, and that accessing an account without proper authorisation may still breach laws or terms of service, even if it aligns with the account holder's wishes.

The whitepaper points to existing initiatives as starting points but describes them as isolated efforts. It cites guardianship credentials associated with Sovrin, delegation frameworks from the Kantara Initiative, and death-registration integrations within the MOSIP ecosystem.

Next steps are expected to include cross-industry pilots and contributions to the Death and Digital Estate Community Group. The OpenID Foundation is seeking participation from government agencies, legal services, insurance, financial services, healthcare, technology providers, and the death-care sector.