What is a dead man's switch for credentials?
Glassbreak Team · Published 2026-07-17
A dead man's switch for credentials is a mechanism that releases access to a login, secret, or set of instructions automatically if its owner becomes unresponsive — typically implemented as a check-in you answer on a schedule, where missing it for a chosen window triggers release rather than requiring you to do anything at the moment of the emergency. The name comes from railway and industrial equipment: a control that has to be actively held to keep something running, so letting go — deliberately or not — triggers a safety response. Applied to credentials, the "letting go" is a missed check-in, and the "safety response" is handing access to people you named in advance.
Why teams and individuals reach for this
The scenario a dead man's switch solves is specific: what happens to a critical credential if the person who holds it becomes unreachable — incapacitated, or simply gone — with no warning and no chance to hand things off deliberately? A break-glass procedure triggered by a request works well when someone is available to raise their hand and say "I need access." A dead man's switch is for the harder case, where nobody can raise their hand, because the person who'd normally need to act is the one who's missing.
The two classic weaknesses
A single false trigger can cause real harm. If a missed check-in immediately and irreversibly hands over access, a vacation with no signal, a broken notification, or a forgotten password on the check-in system itself can trigger a release that shouldn't have happened — and there's no way to undo it after the fact.
A single recipient acting alone is a single point of trust. The classic design names one person who gets everything once the switch fires. That person is now fully trusted at exactly the moment nobody else can verify anything, which is a worse guarantee than the quorum-based approval most teams would insist on for any other high-value access decision.
A safer version of the same idea
Both weaknesses have well-understood fixes, and they're the same fixes used elsewhere in emergency access design:
- A cancellable notice window, so a missed check-in starts a countdown rather than an immediate release — you (and often your named contacts) are alerted, and the release can still be stopped before anything actually opens.
- Quorum-based recovery instead of a single recipient, so the credential can only be reconstructed if a threshold of independently named people act together, rather than one person unilaterally holding everything once the trigger fires.
Combined, these turn a fragile all-or-nothing switch into something closer to a supervised, reversible handover — closer in spirit to quorum-based secret sharing than to a single tripwire.
How Glassbreak implements this
Glassbreak's individual-focused plans support exactly this pattern for personal credentials and documents: release can be gated behind a scheduled check-in, a time-lock, a quorum of named people acting together, or some combination — never a single silent trigger. The digital legacy page describes the check-in and notice-window mechanics in detail, including how a false alarm gets caught before anything opens; crypto inheritance covers the same pattern applied specifically to self-custody seed phrases, explicitly as a safer alternative to a traditional dead man's switch. Under the hood, both rely on the same client-side encryption and quorum-based recovery used across the platform, detailed on the security page — the check-in is the trigger, but the credential is only ever recoverable by the threshold of people you named, never by Glassbreak itself.
What it doesn't replace
A dead man's switch is a trigger mechanism, not a substitute for properly encrypted storage or a named, informed set of recipients. If the underlying credential isn't encrypted with genuine access control, a well-designed trigger is just an elaborate way of eventually exposing something that was never actually protected. Set up the storage first — who can decrypt it, and under what threshold — and the check-in or time-lock second.
Frequently asked questions
- What's the difference between a dead man's switch and a check-in system?
- They're the same underlying mechanism described from opposite directions. A dead man's switch is defined by absence — it fires because you stopped doing something (checking in). A check-in system is the safer framing of the same idea: as long as you keep answering on schedule, nothing happens; only a sustained silence for the window you chose triggers release, ideally with a warning period first so a missed check-in isn't irreversible the moment it's missed.
- What happens if I miss a check-in by accident — on vacation, for example?
- In a well-designed system, a single missed check-in shouldn't immediately hand anything over. Look for a notice window: when a check-in is missed, you (and often your named contacts) get alerted and given a further window to respond before anything actually releases. That turns an accidental miss into a caught mistake rather than a silent, irreversible handover.
- Is a dead man's switch the same as break-glass access?
- They're related but triggered differently. Break-glass access is usually triggered deliberately by someone declaring an emergency and requesting access. A dead man's switch is triggered by the absence of an action — you stopping your check-ins — rather than anyone actively requesting anything. Some systems combine both: a credential that can be released either by quorum approval on request, or automatically after a sustained missed check-in, whichever comes first.
- Can one person be trusted with a dead man's switch credential alone?
- That's the classic design's weakest point. If a single designated recipient gains full access the moment the switch fires, you're trusting that one person completely, at a moment when you're not available to notice if something goes wrong. Requiring a quorum of recipients to act together before anything actually opens removes that single point of trust, the same principle used in quorum-based secret sharing for any other high-value credential.