guide

How to Store 2FA Backup Codes Securely

5 min read

Backup codes are the thing you’ll wish you had

When you set up two-factor authentication, most services give you a set of one-time backup codes. These are your emergency keys. If your phone breaks, gets stolen, or you accidentally delete your authenticator app, backup codes are how you get back in.

A lot of people skip past this step during setup. They figure they’ll deal with it later, or they screenshot the codes and forget where the image went. Then six months later, they’re locked out of their email and filing support tickets.

Don’t be that person. Saving backup codes takes two minutes and can save you hours of recovery headaches.

What backup codes actually are

Backup codes are pre-generated, one-time-use strings (usually 8-12 characters) that work as a substitute for your TOTP code. Each code can be used exactly once. Most services give you somewhere between 5 and 10 of them.

They’re generated at the same time you enable 2FA, and they’re tied to your account. They don’t expire unless you regenerate a new set, which invalidates the old ones.

Think of them as spare house keys. You don’t use them every day, but when you need one, you really need one.

Where to store them

There are a few reasonable approaches, each with trade-offs.

In a password manager

This is probably the most practical option for most people. If you’re already using a password manager (1Password, Bitwarden, KeePass, etc.), add your backup codes as a note attached to the relevant login entry.

Why this works: Your password manager is encrypted, synced across devices, and you’re already opening it when you log into things. The codes are right there when you need them.

The risk: If you lose access to your password manager and your authenticator at the same time, you’re stuck. This is unlikely if your password manager uses a different unlock method (like a master password or passkey) than your authenticator app, but it’s worth thinking about.

Mitigation: Keep at least one backup method outside your password manager (like a printed copy).

Printed on paper, stored somewhere safe

Print your backup codes and put them somewhere physically secure: a home safe, a locked drawer, a fireproof box. Somewhere you’d keep a passport or birth certificate.

Why this works: Paper can’t be hacked remotely. It doesn’t need batteries or an internet connection. It’ll still be readable in ten years.

The risk: Paper can burn, flood, or get thrown away by someone who doesn’t know what it is. It’s also not great if you need your codes while traveling.

Mitigation: Label the paper clearly (but not so clearly that a stranger would know what the codes are for). Something like “Account recovery codes” is fine. Don’t write the associated passwords next to them.

On an encrypted USB drive

Copy your backup codes into a text file, put it on a USB drive, and encrypt the drive (or at minimum, encrypt the file). Store the drive somewhere safe, like alongside your printed copies.

Why this works: You get a digital copy that’s portable and encrypted. If you need to travel with your codes, you can bring the drive.

The risk: USB drives fail. They also get lost easily because they’re small. Encryption only works if you remember the password. And if you’re the kind of person who has a drawer full of mystery USB drives, good luck finding the right one.

Mitigation: Label the drive. Test it periodically to make sure it still works. Store the encryption password in your password manager (yes, this creates a dependency, but it’s a reasonable one if you have a printed backup too).

Where not to store them

A few places that seem convenient but aren’t great:

  • A plain text file on your desktop. Anyone who gets access to your computer gets your codes. Malware can read them. You’ll probably accidentally delete the file during a cleanup.
  • A screenshot in your camera roll. Phone photo libraries sync to the cloud, get shared in albums, and show up in unexpected places. It’s not encrypted.
  • An email to yourself. If someone compromises your email, they get your backup codes, which is especially bad since email is usually the master key to resetting everything else.
  • A sticky note on your monitor. I wish this went without saying.

How many backup methods should you have?

Two is a good number. One digital (password manager) and one physical (printed copy in a safe place). This covers the main failure modes: if the digital copy is inaccessible, you have paper; if the paper is unavailable, you have the digital copy.

Going beyond two adds complexity without much benefit unless you’re protecting something unusually high-value.

Regenerate codes when you use them

Every time you use a backup code, it’s consumed. It won’t work again. If you’ve dipped into your codes, log in to the service and generate a new set. Then update all the places where you stored the old ones.

Some services show you how many backup codes you have remaining. Check this occasionally. If you’re down to one or two, regenerate.

A quick routine for new accounts

Whenever you enable 2FA on a new account:

  1. Complete the setup and confirm your authenticator works
  2. Copy the backup codes
  3. Paste them into a note in your password manager
  4. Print a copy for your physical backup
  5. Move on with your life

It takes two minutes. Set this as a habit and you’ll never be the person desperately Googling “locked out of account lost phone” at midnight.

If you want to test your TOTP setup and make sure codes are generating correctly, you can try 2fa.zip. It runs in your browser and doesn’t send anything to a server.

Secure your accounts with two-factor authentication

Generate TOTP codes instantly, right in your browser.

Try our free 2FA Code Generator

Related Posts

How Two-Factor Authentication Works: A Beginner's Guide

A straightforward explanation of two-factor authentication for people new to online security. What 2FA is, why it matters, and how to set it up.

Read more