
Ask HN: How do you manage backup 2FA codes? - dylanjcastillo
Whenever possible, I use 2FA. However, I&#x27;ve been wondering what to do with one-time backup codes that many apps give you when setting up the 2FA.<p>If you are not storing them in a secure manner, then using 2FA is not really an additional layer of security. Plain text is obviously wrong. However, even using your password manager would not make much sense, as if someone gains access to it, 2FA will not protect you from anything.<p>So, what do you do? Do you simply not keep them?
======
lm28469
What kind of threat scenarios are you looking at ?

> If you are not storing them in a secure manner, then using 2FA is not really
> an additional layer of security.

Even if you simply have them written on a post-it note glued to your monitor
people would have to physically break in your home to access them, which to me
sounds like a very big additional layer of security for most people (as in: it
won't happen unless you're a target for something big). Back them up to an off
site (physical or digital) locations in case of a fire/flood/&c.

> However, even using your password manager would not make much sense, as if
> someone gains access to it, 2FA will not protect you from anything.

If that's how you see it then nothing is "safe". Memorising them ? Storing
them in a physical bank safe ?

I wouldn't sweat it unless you're a person of interest in which case you'd
probably already be in contact with security professionals.

~~~
dylanjcastillo
> Even if you simply have them written on a post-it note glued to your monitor
> people would have to physically break in your home to access them, which to
> me sounds like a very big additional layer of security for most people (as
> in: it won't happen unless you're a target for something big). Back them up
> to an off site (physical or digital) locations in case of a fire/flood/&c.

For me, the issue with this method is not so much on the security side but on
that it is likely to fail when you need it the most. For instance, you are
more likely to lose access to your 2FA device when traveling abroad than when
staying home (e.g., smartphone breaks, gets stolen, etc).

> If that's how you see it then nothing is "safe". Memorising them ? Storing
> them in a physical bank safe ?

Having 2FA backups in the same password manager as your password would be
pretty much the same as not having 2FA enabled, so why bother?

So far, it looks like a combination of two password managers from different
providers seems like the most convenient option. Or Authy and not storing the
backup codes.

~~~
distances
> Having 2FA backups in the same password manager as your password would be
> pretty much the same as not having 2FA enabled, so why bother?

Anything but. Leaks through password manager are sure possible, but only a
small risk compared to other password failures.

While I don't store 2FA codes in the manager, I'd consider that or even
unencrypted files in your home folder an ok compromise between convenience
additional security. Not super safe, but still on a wholly different level
than no 2FA at all.

------
elahd
\- Password manager for both password storage and 2FA OTP generation. (Not the
best practice, but the convenience is worth the trade-off.)

\- Password manager for almost all 2FA backup code storage. Both the best
place and the dumbest place to store these. "The best" because it's pretty
secure; "the worst" because it's a single point of failure AND if I can access
my password manager I already have access to my 2FA OTPs. I regularly make an
encrypted backup of my password vault.

\- Authy for 2FA OTP generation for my password manager.

\- A printed card in my wallet for 2FA backup codes for my email account and
password manager. Password manager master password is kept in a safe (in case
I get hit in the head and forget it).

This isn't perfect, but it fits my risk profile.

~~~
RandomBacon
> master password is kept in a safe (in case I get hit in the head and forget
> it).

In that case I hope it's a biometric safe.

------
milhouse1337
You can use Authy, the restore feature works great. You simply have to save
the recovery key somewhere safe. You also have to thrust the developer here
(Twilio) in this case.

~~~
AnonHP
What I don't like about Authy is that it requires a phone number (and
verification of the number) to use it. That's one more point of failure,
depending on the situation. I prefer not to link a phone number with services
unless it's unavoidable.

------
snailmailman
I don’t bother with the backup codes. Instead, I store the QR code used for
setting up the 2FA functionality. When I get a new phone, I can scan all the
QR codes and immediately be back ready to go. If I lose my phone for whatever
reason, I can do similarly. Although in that scenario I would also have to
redo the 2FA and regenerate codes, considering the lost phone to be
compromised.

I do the QR codes rather than whatever recovery codes just because every site
seems to do recovery codes differently. The QR codes work consistently
everywhere.

As far as how i store them, I keep encrypted digital copies. Not synced with
cloud or anything.

~~~
kissstupid
Same here. I use KeePass to store my 2FA key and attach the screenshot of the
QR for easy restoration.

------
SenHeng
I take a screenshot of the QR codes and save the images directly into my
password manager and a private git repo.

> _If you are not storing them in a secure manner, then using 2FA is not
> really an additional layer of security_

My worry is not someone hacking into password manager but rather someone doing
a driveby hacking using old/leaked passwords. Therefore I optimise for
convenience.

------
brewdad
I store my passwords in Bitwarden and my 2FA info in a local Keepass database.
I don't feel comfortable putting both in the same place and find Bitwarden far
more usable day to day.

------
jrootabega
Like many, I used to store the otp seeds in offline secure "bugout" storage,
but I came to see that this pushes totp even further away from "something you
have" than it already is. So I just store the emergency recovery codes in the
bugout storage now, and treat a token wipe as a rare enough event that I can
tolerate it. At least you'll be notified if someone compromises your recovery
codes.

You're right to be reluctant to keep them in a password manager for sure

------
ozb
How about: store the otp secrets as well as the backup codes in an encrypted
file/hashicorp vault/keepass (not with other passwords)/Authy, with the
encryption keys being stored on USB flash drives and yubikeys, which can be
put both on your keychain and in a physical safe. Many possible variants of
this for different use cases.

------
zcw100
You should read “This World of Ours” by James Mickens.
[https://www.usenix.org/system/files/1401_08-12_mickens.pdf](https://www.usenix.org/system/files/1401_08-12_mickens.pdf)

It’s informative and funny. Mossad or not Mossad?

------
noseratio
I use Microsoft Authenticator App, which has an option to backup secrets to
OneDrive. I now use it for all services which support 2FA setup via QR code,
including Google accounts.

Previously it was Google Authenticator, which didn't seem to have a backup
option.

------
epc
I store the TOTP seed and backup codes in plain text files in an encrypted
filesystem. I copy the filesystem blob to a couple of USB keys every month or
so and store the keys in safes.

------
ishcheklein
Yep, have been using an encrypted file on Dropbox to store this. But clearly,
it's a security hole potentially. So, curious what are other options there.

------
knurdle
I use 1password for passwords, authy for 2FA and I keep the backup codes in
keepass synced through cloud storage. It keeps them all separate.

------
highhedgehog
I have printed them and I keep them somewhere safe in my house. I've being
doing this for years now and never had a problem

------
mceachen
I print the backup codes and put them in a safe.

------
floydax
I use either Bitwarden notes or Cryptomator.

------
floydax
I use either Bitwarden encrypted notes or more recently Cryptomator (with
encrypted files on Dropbox)

------
markandrewj
Yubikey's are a good place to store OTP codes. They also come with the added
benefit of U2F.

------
simplecto
Encrypted notes in Bitwarden or lastpass works for me.

IANASP. (I Am Not A Security Professional)

~~~
kissstupid
As a tip, Bitwarden supports TOTP so you can generate codes from itself

~~~
mceachen
If your Bitwarden credentials are compromised, though, all your accounts are
available.

Much better to keep TOTP credentials in Authy, secured with a password that
isn't in Bitwarden.

------
maydemir
1passwords makes this very simple.

