You’ve taken steps to secure your digital services by enabling Two-Factor Authentication. But what do you do with the recovery codes a service gave you to gain access if the usual authentication method is unavailable?
You need to keep recovery codes secure, but more importantly, keep them somewhere you’ll have access to when you need them.
What Are Recovery Codes, and Why Do I Need Them?
Recovery codes are a failsafe, a way to override additional security measures placed on a digital service or account. They are randomly generated, single-use, and usually consist of at least 16 digits.
You are often given a single code, but you might also receive several, such as when you set up Two-Factor Authentication (2FA) on a Google account. If you are given multiple codes, any one of them can be used to authenticate your login.
Two-Factor Authentication requires a second way to authenticate access, often on a separate device. If that device was lost, stolen, or inoperable, you could lose access to the account forever. Recovery codes are an authentication backup, used when the second factor in 2FA isn’t available.
In the case of a zero-knowledge service, such as cloud storage, a recovery code or key is used similarly. The recovery code or key is linked to your password digitally. If you forget your password, the recovery key proves that you are authorized to access the account. It is more important to keep this type of recovery code in a secure place as it is used in place of your password, rather than alongside it.
2FA Is Enabled, Where Is My Recovery Code?
When you set up 2FA on your accounts, there is usually a clear prompt to generate and download your recovery code. If you missed it, or have downloaded a code and don’t know where it is, you can usually generate a new one from within the account.
Sign in to your account using the 2FA method you set up. The recovery code can usually be found in the security section of the account settings. You might find your existing recovery code here, or instructions for generating a new one. When you generate a new code, any previously downloaded codes will be invalid. Make sure you keep it somewhere safe!
Option 1: Print Out Your Recovery Codes
For most people, storing your recovery codes on paper is one of the most secure methods. Paper can’t be hacked or accessed by someone remotely. You could lose the piece of paper, but you can easily print multiple copies, keeping one safe at home, another in your purse or wallet, etc.
As long as you don’t store the codes alongside your other log-in details, there isn’t much someone could do with them even if they see the printout. It isn’t a very technologically-advanced method, but sometimes the old ways are the best.
Option 2: Store Recovery Codes in the Cloud
Another good option is to store recovery codes in your cloud storage vault, as long as it doesn’t also use Two-Factor Authentication. If it does, you are only moving the problem back a step.
Keeping your recovery codes in a cloud storage vault means you can access them anywhere, as long as you have some means of getting online. You could use the cloud storage service you already have an account with or take advantage of the free account offered by almost every cloud storage provider.
When you download recovery codes as a text or PDF file, it is usually given a random file name. If you think you might forget what the file and the codes are for, you can name it something more memorable. Just don’t call the file “LastPass 2FA Recovery Codes” or anything that obvious.
As with most of the other methods we are discussing, it is best to store your recovery codes on their own and never in the same place as the other login details. If you follow this rule, hiding the file behind a fake filename becomes less important.
Option 3: Keep Recovery Codes on a USB Flash Drive
Keeping your recovery codes on a USB flash drive has several advantages. No one can hack into it to steal the codes, it isn’t reliant on an Internet connection for access, and they are easy to carry around.
Most small USB drives have a hole or loop so they can be attached to your keyring. And as you are unlikely to leave your keys lying around in unsafe places, the USB and your recovery codes will be safe.
If you choose to use this option, it is a good idea to use a high-quality USB thumb drive. Ideally, choose one with a metal body to reduce the risk of the drive being broken or lost.
You could also password-protect the USB drive, or even encrypt it with BitLocker or another encryption tool. But that requires you to remember yet another password.
Where You Should Never Store Recovery Codes
2FA recovery codes aren’t as sensitive as passwords, at least not on their own. But there are still a few places you should never keep them.
Inside a 2FA-protected Service or Account
Don’t keep the recovery codes for your password manager inside your password manager. If you enable two-factor authentication on your Google account, don’t store recovery codes in your Google Drive. These may seem obvious, but when you’re used to using one place to store all your sensitive data, it’s easy to make that kind of error.
On Your Computer’s Desktop
Many of us rely on browser password auto-fill tools these days. If your computer is accessed by someone with bad intent, they might not even need to know your password. Your computer could enter it for them and, when combined with recovery codes, access your 2FA-protected accounts.
On a Sticky Note Stuck to Your Monitor
Like the reasons above, if you have your recovery codes on a sticky note and someone manages to physically access your computer, the recovery codes are right there. Should they manage to discover the accompanying password, you’ll be in trouble. But, you might be saying, storing recovery codes on paper is the first option in this guide. It is, and keeping codes on paper is fine, as long as the paper is kept somewhere private and safe, away from your device.
Storing Your Recovery Codes Safely
Recovery codes for 2FA are important, and you should keep them safe, but it is more important to keep them accessible.
Using a combination of the methods explored here will mean your recovery codes are safe and available when you need them. Choose the methods that work best for you, and take advantage of any tools already available.
For example, if you already have cloud storage, or always carry a USB drive on your keys, keep your codes there. And then also print them out as a backup.
Here are a few final thoughts and tips to consider when storing recovery code:
- Never store recovery codes with other login information for the account. This includes the username, password, or account name.
- Splitting the recovery code into two parts can improve security when stored. Someone who finds the parts of the code can’t use them without recognizing that they need to be joined. And even then, they need to know in which order the parts are entered.
- For your most important 2FA-protected services, such as the password manager that holds all of your account login details, refresh or update recovery codes regularly.
- But remember, if you refresh your codes, or if you have to use a single-use recovery code, don’t forget to replace the stored code with the new one.