You have taken steps to protect your digital services by enabling two-factor authentication. But what do you do with recovery codes given to you by a service to gain access if the usual authentication method isn’t available?
You should keep your recovery codes safe, but more importantly, keep them somewhere you have access to when you need them.
What are recovery codes and why do I need them?
Recovery codes are fail-safe, a way to override additional security measures placed on a digital service or account. They are randomly generated, single-use, and typically consist of at least 16 digits.
You’re often given a single code, but you can also receive multiple, such as when you set up two-factor authentication (2FA) on a Google account. If you receive multiple codes, any one of them can be used to authenticate your login.
Two-factor authentication requires a second way to authenticate access, often on a separate device. If that device is lost, stolen, or doesn’t work, you could lose access to your account forever. Recovery codes are a backup of authentication, used when the second factor of 2FA is not available.
In the case of a zero-knowledge service, such as cloud storage, a recovery code or key is used in a similar way. The recovery code or key is linked to your password digitally. If you forget your password, the recovery key proves that you are authorized to access the account. It is more important to keep this type of recovery code in a safe place, as it is used in place of your password and not together with it.
2FA is enabled, where is my recovery code?
When you set up 2FA on your accounts, there is usually a clear prompt to generate and download your recovery code. If you missed it or downloaded a code and don’t know where it is, you can usually generate a new one from your account.
Sign in to your account using the 2FA method you set up. The recovery code can usually be found in the security section of the account settings. You can find your existing recovery code here, or instructions to generate a new one. When you generate a new code, any previously downloaded code will be invalid. Make sure you keep it in a safe place!
Option 1: Print your recovery codes
For most people, storing their recovery codes on paper is one of the safest methods. The paper cannot be hacked or accessed remotely. You might lose paper, but you can easily print multiple copies, keeping one safe at home, another in your purse or wallet, etc.
As long as you don’t store the codes along with your other login details, there’s not much anyone can do with them, even if they see the hard copy. It’s not a very technologically advanced method, but sometimes the old ways are the best.
Option 2: Store recovery codes in the cloud
Another good option is to store the recovery codes in your cloud storage vault, as long as you don’t also use two-factor authentication. If you do, you’re only taking the problem back one step.
Keeping your recovery codes in a cloud storage vault means you can access them anywhere, as long as you have some means of connecting. You can use the cloud storage service you already have an account with, or take advantage of the free account offered by almost all cloud storage providers.
When you download recovery codes as a text or PDF file, it is usually assigned a random file name. If you think you might forget what the file and codes are for, you can name it something more memorable. Just don’t call the file “LastPass 2FA Recovery Codes” or anything so obvious.
As with most of the other methods we’re discussing, it’s best to store your recovery codes alone and never in the same place as your other login details. If you follow this rule, hiding the file behind a bogus filename becomes less important.
Option 3: Keep the recovery codes on a USB flash drive
Keeping your recovery codes on a USB flash drive has several benefits. Nobody can hack it to steal the codes, it doesn’t depend on an internet connection to access it and they are easy to transport.
Most small USB drives have a hole or loop so they can be attached to your keychain. And since you’re unlikely to leave your keys lying around in insecure places, the USB and your recovery codes are safe.
If you choose to use this option, it’s a good idea to use a high-quality USB stick. Ideally, choose one with a metal body to reduce the risk of the drive being broken or lost.
You can also password protect the USB drive or even encrypt it with BitLocker or another encryption tool. But that requires you to remember another password.
Where you should never store recovery codes
2FA recovery codes are not as sensitive as passwords, at least not on their own. But there are still some places where you should never store them.
Within a Service or Account protected by 2FA
Do not store your password manager recovery codes inside your password manager. If you enable two-factor authentication on your Google account, don’t store recovery codes in your Google Drive. These may seem obvious, but when you’re used to using one place to store all your sensitive data, it’s easy to make that kind of mistake.
On your computer desktop
Many of us rely on browser password autofill tools these days. If someone maliciously accesses your computer, they may not even need to know your password. Your computer could enter it for them and, when combined with recovery codes, access your 2FA-protected accounts.
On a sticky note attached to your monitor
Like the reasons above, if you have your recovery codes on a sticky note and someone gains physical access to your computer, the recovery codes are there. If they manage to figure out the attached password, you’ll be in trouble. But, you could be saying that storing recovery codes on paper is the first option in this guide. It is, and keeping the codes on paper is fine, as long as the paper is kept in a private and secure place, away from your device.
Store your recovery codes securely
Recovery codes for 2FA are important and you should keep them safe, but it’s more important to keep them accessible.
Using a combination of the methods explored here will mean your recovery codes are safe and available when you need them. Choose the methods that work best for you and take advantage of the tools that are already available.
For example, if you already have cloud storage, or always carry a USB drive on your keys, store your codes there. And then print them as a backup as well.
Here are some final thoughts and tips to keep in mind when storing your recovery code:
- Never store recovery codes with other login information for the account. This includes username, password, or account name.
- Splitting the recovery code into two parts can improve security when it is stored. Someone who finds the pieces of code cannot use them without recognizing that they need to be joined. And even then, they need to know in what order the parts are entered.
- For your most important 2FA-protected services, like the password manager that contains all your account login details, update or upgrade recovery codes regularly.
- But remember, if you update your codes, or if you have to use a one-time recovery code, don’t forget to replace the stored code with the new one.
RELATED: 8 cybersecurity tips to stay protected in 2022