I often think when I see an attack on some "badly done" security procedure like giving your birthdate to "authenticate" as a person: "Well, it's bad. But it's a good middle-ground between security and usability. And the few abuses are covered by insurance. So, all in all, it's not too bad." Which your story seems to underline. But of course the best way would be to have a t-out-of-n threshold decryption with your friends devices. Not?