“In the previous post in this series, I looked at identity discovery inside structured systems: federations, CIAM platforms, metadata documents, wallets, and credentials.”

Those systems may be complicated, but at least they have protocols, interfaces, policies, and some idea of what they are trying to match. A user needs an identity provider. A client needs metadata. A verifier needs a credential. A wallet needs to determine whether it can satisfy a request. The details can be painful, but the systems generally know there is a discovery problem to solve.

Personal digital life is messier.

Over time, we create accounts, reuse identifiers, connect social logins, save credentials, authorize apps, start subscriptions, abandon services, change phones, change emails, and forget what we did. We try a new productivity tool. We create an account to download a white paper. We sign into a conference app. We use Google login one day, Apple login the next, and an email-and-password account the time after that because apparently consistency was too much to ask of Future Us. We link a payment card. We authorize a mobile app. We agree to terms of service. We create a profile. We add a recovery email. We forget the whole thing ever happened.

While we are still present, that mess is inconvenient. When someone else has to reconstruct it after incapacity or death, it becomes a much harder problem of authority, access, and trust.

That is the discovery problem this post is about. Not identity discovery inside a clean protocol flow, but personal account discovery in the wild. This is less governed matching and more archaeology.

You can Subscribe and Listen to the Podcast on Apple Podcasts, or wherever you listen to Podcasts.

And be sure to leave me a Rating and Review!

Accounts accumulate quietly

Most of us do not create our digital lives according to a plan. We accumulate them. The result is a personal digital estate long before anyone thinks to use the word “estate.”

Some of it is obvious: email accounts, financial services, social media profiles, cloud storage, messaging apps, streaming services, shopping accounts, government services, healthcare portals, travel accounts, and workplace systems. Some of it is less obvious: old forums, loyalty programs, domain registrations, abandoned blogs, newsletter platforms, app-specific logins, school systems, professional associations, conference tools, smart home devices, gaming profiles, fitness apps, and the SaaS trial you absolutely meant to cancel before it billed annually. Hypothetically.

The tricky part is that accounts are not always created in a way that feels important at the time. The threshold for account creation is low because platforms want it that way. Sign up to save your preferences. Sign up to complete checkout. Sign up to join the community. Sign up to see the file. Sign up to sync across devices. Sign up because guest checkout has mysteriously disappeared again.

This is not inherently bad. Accounts can make services more useful. They support personalization, security, continuity, and portability within a service. But the long-term effect is that people build a sprawling set of identity relationships across platforms that were designed to support engagement, not personal inventory management.

The account may be easy to create. Remembering that it exists five years later is a different matter.

We discover our own accounts through fragments

When people try to find old accounts, they rarely start from a clean list. They start with fragments.

They search their inbox for “welcome,” “verify your email,” “reset password,” “receipt,” “subscription,” “your account,” or “confirm.” They check password managers. They look at browser-saved passwords. They scan app store subscriptions. They review recurring charges on payment cards. They look at connected apps in Google, Apple, Facebook, Microsoft, GitHub, or whichever platform acted as their identity provider at the moment they clicked “continue with.” They search old phones. They check cloud backups. They look at domain renewals. They follow the trail of notifications, invoices, and vague memories.

None of these is really an account inventory. They are fragments we use to reconstruct one.

Password managers get closest, and they are increasingly essential. They give people a place to store credentials, identify reused passwords, and sometimes assess password health. But a password manager only knows what was saved. It may not know about passkeys stored elsewhere, accounts created through social login, accounts tied to old work addresses, accounts that used magic links, apps authenticated through OAuth, or services where the password reset flow is the only remaining clue. Browser-saved credentials have similar limits, only with more chaos and fewer life choices I would recommend defending in public.

Email is often the richest source because email tends to preserve transactional traces. The problem is that email is also a landfill with search. It may contain the welcome message, the receipt, the password reset, the suspicious login alert, the subscription renewal, and the final notice before account deletion. It may also contain ten thousand other messages from organizations that have mistaken “customer relationship” for “permission to test the outer limits of human patience.”

Still, for many people, the inbox is the closest thing they have to a personal account registry. That should make us uncomfortable. It means one of the primary ways people discover the accounts they have created is by searching through an uncontrolled archive of communications from organizations that may or may not have used meaningful subject lines.

We have built a digital world where account discovery often depends on whether someone can remember the right search term.

Breaches are a terrible discovery mechanism

Then there is the grimly useful category: breach data.

Have I Been Pwned and similar breach notification services can reveal that an email address appeared in a compromised dataset. This can be genuinely useful. A breach notification may remind someone of an account they forgot they had, or an old service they should close, or a password they reused somewhere else because apparently Past Me continues to file complaints with Present and Future Me.

But “someone leaked it” is a terrible account inventory strategy.

Breach-derived discovery is discovery after failure. It tells you that an account, identifier, or credential may have existed in a compromised context. It does not tell you whether the account is still active, whether the data is current, whether the service still exists, whether the account was yours or created fraudulently, or whether the password was reused somewhere more damaging. It is useful because the rest of the ecosystem is so bad at helping people maintain awareness of their own accounts.

That is a recurring pattern in this series. When proper discovery mechanisms are absent, people build workarounds out of whatever evidence remains. Sometimes that evidence is a clean metadata document. Sometimes it is a password vault. Sometimes it is an inbox. Sometimes it is a breach.

Yay for modern life.

The account is only the door

The other problem with treating this as “account discovery” is that the account is often only the door. What matters is what sits behind it.

An old email account may contain family photos, legal records, domain registrations, financial notices, professional correspondence, login recovery messages, or evidence of consent. A cloud storage account may contain creative work, business documents, tax records, medical files, or the only copy of a scanned passport. A social media profile may be a public identity, a private archive, a professional presence, or a memorial waiting to happen. A playlist, photo album, game account, digital wallet, or device ecosystem may look trivial to one person and carry deep emotional, financial, or cultural value to another.

This is where the digital estate framing becomes useful, though I do not want this post to become a summary of digital estate law. In the white paper I co-authored, “The Unfinished Digital Estate,” we argued that digital life now extends beyond lifespans and includes far more than bank accounts and crypto wallets. Email, shared photos, creative work, credentials, playlists, social media profiles, and connected devices can all form part of what outlives a person.

That matters for discovery because the thing we know how to name may be less important than the thing it contains. “Find my old account” sounds straightforward until the account is the only route to photographs, contracts, private messages, tax documents, or the credentials needed to access other accounts.

The account is the door. The digital life is behind it.

Companies lose the map too

The discovery problem does not only exist on the user side. Organizations also lose track of what their systems are doing, especially when customer data moves through websites, mobile apps, tag managers, analytics tools, advertising infrastructure, and third-party integrations.

At RSAC 2026, I attended a session on privacy investigations built around a misconfigured website tracking scenario: sensitive health information being sent to third-party advertisers. What stood out was how much of the investigation sounded like discovery work. What third-party tags are present? What data elements are being disclosed? Is the consent mechanism actually preventing tracking before opt-in? Are the tags hardcoded or running through a tag manager? Is the data moving client-side, server-side, or both? Is it going only to the first-level service provider, or is a second- or third-level entity doing something unexpected?

In other words, the company may not have a reliable map of its own data flows. The user is trying to reconstruct their digital life from the outside. The company may be trying to reconstruct its own tracking behavior from the inside. Neither situation is especially comforting.

That session was about privacy enforcement, not digital estate planning, but the connection is useful. Digital systems create relationships faster than people document them. A marketing team adds a tag. A product team enables an integration. A consent banner is configured one way, a tracker behaves another way, and employee turnover quietly removes the human memory of why anything was set up the way it was. Eventually, someone has to ask: what exists, where does it go, who receives it, and what did we promise users?

That is discovery too. Operational discovery, perhaps, but still discovery.

Before an organization can govern data flows, update disclosures, honor consent preferences, or respond to regulators, it has to know what is actually happening. Before an individual can close accounts, revoke access, preserve assets, or make plans, they have to know what exists. The symmetry is not perfect, but it is uncomfortable in a useful way.

Easy discovery can create abuse

If this were only a usability problem, the answer might be simple: make accounts easier to find. Let users enter an email address and see every account tied to it. Let them search across platforms. Let them discover all connected apps, subscriptions, identifiers, and recovery channels from one place.

Lovely idea. Also, please enjoy your new attack surface.

A system that helps the rightful user rediscover an account may also help an attacker discover that the account exists. Account enumeration is not theoretical. Password reset flows, login error messages, recovery prompts, and “find my account” features can all leak information if designed poorly. If a service confirms that an email address has an account, that may be useful to the account holder. It may also be useful to a stalker, scammer, credential stuffer, or anyone building a profile of someone’s online life.

The same problem shows up with social login and connected apps. A person may want to know which services are connected to their Google, Apple, Facebook, Microsoft, or GitHub account. That is reasonable. But exposing those relationships too broadly can reveal professional affiliations, political activity, health relationships, financial interests, or communities someone never intended to make visible.

Account recovery has the same tension. Recovery must be usable enough for legitimate users and resistant enough to keep attackers out. Old phone numbers, stale email addresses, compromised inboxes, shared devices, and weak customer service processes all turn discovery and recovery into security questions.

This is the same lesson from the identity discovery post, only messier. Findability is not always good. In identity systems, the useful goal is often conditional findability: findable by the right party, for the right reason, at the right moment, with the right limits.

Everything changes when the user cannot participate

All of this assumes the person is still there to participate.

That is the pivot. While the account holder is alive and able to act, forgotten account discovery is annoying, incomplete, and surprisingly revealing. But the person can still authenticate, search, reset, confirm, revoke, export, delete, or make a decision. They may not enjoy the process. They may say unkind things about past versions of themselves. But they can still participate.

After incapacity or death, the discoverer changes. It may be a spouse, adult child, executor, fiduciary, caregiver, business partner, trustee, or court-appointed representative. That person may have emotional urgency, legal authority, practical responsibility, or all three. They may need to find financial assets, close subscriptions, preserve photos, notify communities, manage business accounts, retrieve tax records, deal with domains, or prevent fraud.

They may also have no idea where to start.

This is where the digital estate problem becomes a discovery problem in the sharpest sense. What accounts existed? Which ones matter? Which contain assets, obligations, memories, or risks? Which recovery channels still work? Which platforms offer legacy tools? Which require a death certificate? Which require a court order? Which refuse access altogether? Which accounts are protected by MFA tied to a phone no one can unlock? Which credentials are in a password manager no one can access?

Legal authority and technical access are not the same thing.

A will can name an executor. It cannot unlock a phone, decrypt a password manager, satisfy MFA, recover a private key, or make every platform recognize the same authority model. A death certificate can prove that someone died. It does not provide a complete inventory of the accounts they created. A court order may help with one platform and be irrelevant, insufficient, or slow for another.

That gap is where families and fiduciaries get stuck.

Platform tools help, inside their own walls

Some major platforms have tools for this. Google has Inactive Account Manager. Facebook has memorialization and legacy contact features. Apple has Legacy Contact. Password managers may offer emergency access or account recovery mechanisms. These tools are better than nothing, and people should know they exist.

They are not a discovery layer for a person’s digital life.

Platform tools are platform-specific by design. They help with the account or ecosystem they control. They do not tell an executor what else existed, what subscriptions are active, what social logins were connected, what domains are expiring, what files are business-critical, or what accounts are recoverable only through another email account. They also vary in what they allow. A legacy contact may be able to retrieve some data but not messages, credentials, payment information, or content protected by separate security boundaries.

The white paper makes this point clearly: current technical tools are inconsistent, incomplete, and largely proprietary. Even the more mature tools operate within narrow platform boundaries. Apple’s Legacy Contact, for example, does not grant access to credentials stored in Apple’s Passwords application, which means it may not help a legacy contact discover and manage the many other accounts those credentials could unlock.

That limitation makes sense from a security standpoint. It is also a practical discovery problem. The very protections that keep accounts safe during life may make them impossible to identify or manage after death unless the person planned ahead.

Again, the answer is not “make everything accessible.” That would be a disaster. The answer is to recognize that digital estate discovery requires intentional delegation, clear authority, auditability, revocation where appropriate, and usable planning tools before a crisis.

Small ask. Tiny. Barely anything.

The personal discovery gap

The hard truth is that personal digital-life discovery currently depends too much on individual discipline and platform-specific luck. People are expected to keep track of accounts they created over decades, across changing devices, email addresses, phone numbers, identity providers, password managers, and social login options. Organizations are expected to honor preferences and privacy promises across dynamic data flows they may not fully understand. Families are expected to manage digital remains through tools that were never designed to work together.

No wonder the result is messy.

The practical lesson is not that everyone needs a perfect spreadsheet of every account they have ever created, though honestly, it would not hurt. The better lesson is that personal digital life needs more intentional inventory, delegation, and recovery planning than most of us currently give it. Password managers help. Account cleanup helps. Reviewing connected apps helps. Setting platform legacy contacts helps. Documenting important accounts helps. So does thinking about which accounts matter financially, emotionally, professionally, or legally.

But the larger point is structural. Platforms have spent years making account creation easy. They have spent far less time helping people understand the long-term identity relationships they are creating. That imbalance becomes visible when people try to clean up their own accounts. It becomes painful when someone else has to do it for them.

Personal account discovery shows what happens when identity relationships accumulate faster than the systems for managing them. Digital estate discovery shows what happens when those relationships outlive the person who created them. The discovery problem does not end when the user can no longer log in. In many ways, that is when it becomes impossible to ignore.

The next post moves from people trying to discover accounts and authority to software discovering agents, endpoints, tools, and capabilities. Different actor, same uncomfortable question: who gets to find what, under what authority, and with what consequences?

📩 If you’d like to be notified of new posts rather than hoping you catch it on social media, I have an option for you! Subscribe to get a notification when new posts go live. No spam, just announcements of new posts. [Subscribe here]

Transcript

In the previous discussion in this series on discovery, we explored identity discovery within structured systems.

Those systems included:

• Federated identity environments
• Consumer identity platforms
• Metadata discovery
• Digital wallets
• Credentials

While those ecosystems can be complicated, they generally recognize that a discovery problem exists.

However, personal digital life is very different.

Most people don’t build their digital identities according to a plan.

Instead, they accumulate them.

And over time, that accumulation creates a new discovery challenge.

---

The Personal Digital Estate We Never Planned For

Every day, people create new digital relationships.

We:

• Open accounts
• Reuse email addresses
• Connect social logins
• Authorize applications
• Start subscriptions
• Save credentials
• Join communities

Then we move on.

Eventually, many of those relationships fade from memory.

The result is a growing digital footprint that few people actively manage.

---

More Than Just Accounts

When people think about their digital lives, they often focus on obvious assets.

For example:

• Email accounts
• Financial services
• Social media profiles
• Cloud storage
• Streaming services
• Shopping accounts
• Healthcare portals

However, the less obvious accounts are often just as important.

These may include:

• Old forums
• Loyalty programs
• Abandoned blogs
• Newsletter subscriptions
• Professional associations
• Smart home services
• Gaming accounts
• Trial software subscriptions

Individually, these accounts seem insignificant.

Collectively, they form a complex digital estate.

---

Why Forgotten Accounts Matter

Most accounts are designed to be easy to create.

Platforms encourage users to:

• Save preferences
• Complete purchases
• Join communities
• Access resources
• Download content

This convenience creates value.

However, it also creates a long-term problem.

Accounts are easy to create today but difficult to remember years later.

As a result, many people lose track of:

• Services they joined
• Applications they authorized
• Accounts they still own
• Subscriptions they continue to pay for

And that is where discovery becomes difficult.

---

Reconstructing a Digital Life

When people attempt to find old accounts, they rarely start with a complete inventory.

Instead, they work from fragments.

Common sources include:

• Email inboxes
• Password managers
• Browser-saved credentials
• App store subscriptions
• Payment card statements
• Connected social logins
• Cloud backups
• Domain registrations

Each source provides clues.

But none provides a complete picture.

Discovery becomes less about management and more about reconstruction.

---

Password Managers Help, But Only Partially

Password managers are among the best tools available for account discovery.

They provide:

• Credential storage
• Password reuse detection
• Security insights
• Authentication support

However, they only know what was saved.

They may not capture:

• Passkeys stored elsewhere
• Social login relationships
• Accounts tied to old email addresses
• Magic-link authentication
• OAuth-based services

As useful as password managers are, they are not complete inventories.

---

Why Email Becomes the Default Registry

For many people, email serves as an accidental account directory.

Inboxes contain:

• Welcome messages
• Verification emails
• Password resets
• Receipts
• Renewal notices
• Security alerts

As a result, searching email often becomes the primary method for discovering forgotten accounts.

That should make us pause.

Because it means account discovery frequently depends on remembering the correct search terms inside a chaotic archive of messages.

---

The Problem With Breach-Based Discovery

Sometimes forgotten accounts are discovered through breach notifications.

Services such as breach monitoring platforms can reveal:

• Old accounts
• Reused passwords
• Forgotten email relationships

This information can be valuable.

However, breach-based discovery has limitations.

It cannot reliably determine:

• Whether the account still exists
• Whether the service remains active
• Whether the data is accurate
• Whether the account was legitimate

In other words, it is discovery after something has already gone wrong.

---

When Findability Becomes a Security Risk

At first glance, making accounts easier to discover sounds helpful.

Imagine a system that could instantly show:

• Every account linked to an email address
• Every connected application
• Every subscription
• Every recovery method

Convenient?

Absolutely.

Safe?

Not necessarily.

The same system that helps legitimate users may also help:

• Attackers
• Stalkers
• Scammers
• Credential stuffing operations

This creates an important tension.

Better discoverability can also increase risk.

---

Conditional Findability

Identity systems teach an important lesson:

More visibility is not always better.

Instead, discovery often requires conditional findability.

Information should be discoverable:

• By the right person
• For the right reason
• At the right time
• Under the right controls

This balance between usability and privacy appears throughout identity systems.

And it becomes even more important when personal accounts are involved.

---

The Account Is Only the Door

One of the most important observations is that people are rarely searching for accounts simply because they want the account itself.

They are searching for what lies behind it.

That may include:

• Family photos
• Financial records
• Contracts
• Tax documents
• Creative works
• Medical information
• Private communications

The account is simply the access point.

The real value lies beyond it.

---

Digital Estate Discovery Changes Everything

The challenge becomes much more serious when the account owner is no longer able to participate.

Following incapacity or death, responsibility may shift to:

• Spouses
• Adult children
• Executors
• Trustees
• Caregivers
• Business partners
• Court-appointed representatives

These individuals often face urgent questions:

• What accounts exist?
• Which accounts matter?
• What assets are involved?
• Which recovery channels still function?
• What authority is required?

Unfortunately, answers are often difficult to find.

---

Legal Authority Is Not Technical Access

A common misconception is that legal authority automatically grants access.

It does not.

For example:

• A will cannot unlock a phone
• A court order cannot bypass every platform
• A death certificate cannot inventory accounts
• Legal authority cannot satisfy MFA requirements

Technical controls and legal authority operate independently.

And that gap frequently leaves families stuck.

---

Platform Tools Help, But They Are Fragments

Several platforms offer account legacy tools.

Examples include:

• Google Inactive Account Manager
• Facebook memorialization features
• Apple Legacy Contact
• Password manager emergency access

These tools provide meaningful assistance.

However, they remain platform-specific.

They can help with:

• Individual accounts
• Specific ecosystems

But they do not provide a comprehensive inventory of a person’s digital life.

---

The Discovery Challenge Organizations Face

Interestingly, individuals are not alone in struggling with discovery.

Organizations face similar challenges.

During investigations, teams often need to answer questions such as:

• What systems exist?
• Where is data flowing?
• Who receives information?
• What integrations are active?
• What promises were made to users?

These are discovery problems too.

Before an organization can:

• Govern data
• Honor consent
• Respond to regulators
• Improve security

It must first understand what actually exists.

---

Discovery Depends Too Much on Luck

Today, personal digital life discovery relies heavily on:

• Memory
• Individual discipline
• Platform-specific tools
• Fragmented records

People are expected to track decades of:

• Accounts
• Devices
• Email addresses
• Phone numbers
• Password managers
• Social logins

Few people do this successfully.

And the result is often confusion.

---

Practical Steps That Help

Perfect account inventories may be unrealistic.

However, several practices improve visibility.

These include:

• Using password managers
• Reviewing connected applications
• Cleaning up unused accounts
• Documenting important services
• Establishing legacy contacts
• Planning account recovery paths

None of these solutions is perfect.

Together, however, they improve resilience.

---

The Larger Structural Problem

Ultimately, this is not just a user behavior problem.

It is a platform design problem.

For years, technology companies optimized account creation.

Far less attention was given to helping people manage long-term identity relationships.

As a result:

• Accounts accumulate quickly
• Visibility declines over time
• Discovery becomes harder
• Recovery becomes more difficult

The imbalance becomes obvious when someone tries to reconstruct years of digital activity.

---

Final Thoughts

Personal account discovery reveals what happens when identity relationships accumulate faster than our ability to manage them.

The challenge extends beyond forgotten passwords or abandoned subscriptions.

It touches:

• Security
• Privacy
• Recovery
• Trust
• Digital inheritance

And in many cases, it becomes most visible only when it is already too late.

---

Conclusion

The digital lives we create are larger and more complex than most of us realize.

Accounts, credentials, subscriptions, and online relationships accumulate quietly over time.

Yet the systems for discovering and managing those relationships remain fragmented.

The lesson is simple:

Creating digital relationships is easy.

Understanding and recovering them later is much harder.

And that is a discovery problem we are only beginning to fully understand.