You get a password manager to store all your passwords and to make your password manager as secure as possible, you turn on 2FA.
Now that you have 2FA on your password manager, you have a new problem; where do you store your password manager’s 2FA recovery codes (also called backup codes)?
In most situations, if you lose your 2FA recovery code and the master password you’re locked out of your password manager forever. So you mustn’t lose either one.
Here are a few tips and ideas you use so you don’t lose your 2FA recovery codes.
1. The Best Place To Store 2FA Recovery Codes?
The very best place to store your 2FA recovery codes is on a piece of paper you keep hidden in your home.
At the bare minimum, this is what most people should be doing.
This hiding spot could be a safe, a book, under the mattress, or wherever you consider a safe spot in your home. If you’re the type of person to lose things, you can always attach them to something large like the back of the washing machine.
You just can’t beat paper (unless your scissors).
It’s impossible to hack. It has a lengthy lifespan; we still find paper documents from centuries ago. It’s also easiest to understand if something happened to you, like a coma or death.
2. Inside Your Password Manager
I can’t tell you how many people I’ve seen get locked out of their password manager but still have access on another device due to biometrics or PIN.
They can’t log in from a new device because they either don’t remember their master password or lost their 2FA device.
If you keep your 2FA recovery code and master password in your password manager, you can always get back in if you have access to another unlocked device.
3. With Someone You Trust
If you have someone you trust, you could give them a copy to keep in their password manager.
If they don’t have a password manager, you can seal it up in an envelope and have them keep it with their other important documents.
4. In Your Wallet
What if you’re not home much and would like to have your recovery code within reach?
You could write it down and keep it in your wallet.
If someone steals your wallet, it may not be evident to them what it is as there is no context. And if that is the only thing on the paper, it’s useless anyways without the master password and email address.
5. Put It In The Cloud
What if you wake up naked in the desert type of situation? Or you don’t have anywhere physically safe to store your recovery code? Or you’re on vacation and lose your devices?
You can always store the recovery code in cloud storage, but this will require an extra password to remember.
There are many cloud storage options but stick to the encrypted ones like Filen.io, Sync.com, and Mega.io.
The password you use for this cloud storage needs to be unique, not used anywhere else, and easily remembered (and for sure can’t be the same or similar as your master password to your password manager). Also, you can’t have 2FA on your cloud storage, or you run the risk of locking yourself out of that too.
All these cloud storage options have free accounts and if you go with the free account, make sure to log in often (every couple of months), or you run the risk of them deleting your inactive account.
A few cloud storage options like Filen.io have lifetime plans that are worth it for this exact situation. So pay once, and don’t worry about it again. You don’t even need much storage; the cheapest lifetime plan will work.
I’m personally a fan of Filen.io right now because it will email you when a new device logs into your account which I consider a huge security feature. The only problem with Filen.io is that the lifetime plans come and go; they use an algo to add or remove the option depending on profits, so if you see a lifetime plan, jump on it right away.
Tip: If you go with the cloud storage option, also put a list of phone numbers of people you can call. People don’t remember phone numbers anymore, and having someone to call can often be more important than getting into your password manager.
Also: One good reason you may use encrypted cloud storage is also for backups of your vault. Store your password manager’s export inside an encrypted storage container as we talked about here, and if something were to happen to your password manager account you’ll still be fine. And if you keep your recovery code inside your password manager it will also be in the export making for a more seamless process.
6. Put It In Standard Notes
Like storing your recovery code in a cloud storage provider, you can also use Standard Notes.
Standard Notes is a note-taking app that stores your notes end-to-end encrypted in the cloud.
What they do for encryption is quite impressive; it’s better than some password managers. With all of this, it makes me feel very comfortable storing something like a recovery code, but I would only use it for that.
They have a free plan, and just like the cloud storage, I would log in every so often to keep it active. Though I can’t find any reports of them deleting inactive accounts, you never know in the future they may? This may be the best free and easiest method if you can’t physically store the codes.
You will need a unique password that is not used anywhere else, and don’t turn on 2FA for Standard Notes either, as discussed in the cloud storage section.
7. Engrave It Into Metal
With cryptocurrency wallets, a common trend is to engrave your phrase into metal as it can withstand fire and other disasters.
The same can be done with your 2FA recovery code.
You can engrave it into metal, or using a stamp kit, you can stamp it.
If you have a yard, you can also take that piece of metal with your recovery code on it and bury it. It’s a bit extreme, but it might be the best option for some, as this would survive many disaster situations.
8. Setup Emergency Access
Not so much of storing the recovery code, but many password managers like Bitwarden offer the ability to set up emergency access which can be just as good.
It’s often a premium feature for most password managers but compared to paying for cloud storage or figuring out how to engrave metal, it might be the easiest.
The best thing about emergency access is that you set a time frame the person has to wait before being let into your account. You’ll also get warning emails and can cancel it before then which is a nice feature.
All this without actually giving someone something or keeping them updated if you make changes. So long as they keep access to their password manager account you can get back in yours.
9. Safe Deposit Box
You can’t go wrong with keeping your password manager’s recovery code inside a safe deposit box at the bank.
These boxes are not always free, and you can only get to them during regular banking business hours. But it will for sure be a safe place to store it.
If you already have a box, it’s a great option, especially if you want redundancy.
10. Hide It In Your Car
Cars have random letters and numbers all over, from serial numbers to part numbers stickers.
These things are often hidden or off to the side of most cars, so why not create your own sticker with your recovery code and hide it in your car?
Cars are big and hard to miss. You can lock them, and most of them have alarm systems too. Throw a hidden Apple AirTag somewhere in the car, and you can even track it!
Get a label maker, print your recovery code, and hide it somewhere in your car.
To most people, it will look like any other random gibberish of letters and numbers, but to you, it’s your recovery code.
You could even be clever and hide it behind seats, plastics, or inside the owner’s manual as no one ever reads them.
11. In Another Password Manager
You could always create a second password manager account and store your recovery codes in that.
You will need to remember a second master password, but it could be worth it.
If you want to take it one step further, you could keep all the recovery codes in your main password manager account and turn on emergency access if your password manager supports it. Then make the second account the emergency contact and set whatever time delay.
This way, you get an email of a new computer logging in and the wait time emails for the emergency contact.
Should You Even Have 2FA On Your Password Manager?
Having some kind of 2FA on your password manager is worth it.
And for most people, having your 2FA recovery code written down and stored somewhere safe in your home is all you need to do. The other options are only shown for the few that need them.
It’s best not to overthink these things; you don’t want to be your own worst enemy.
1) “you can’t have 2FA on your cloud storage, or you run the risk of locking yourself out of that too.”
Why not? Treat the cloud storage password as one one the few to be stored outside the password manager.
2) Icedrive doesn’t offer client side encryption on their free product
The problem isn’t the cloud storage password, but having 2FA on the cloud storage. With 2FA you need another device or access to something like your email or phone, which you may not have. You can remember your cloud storage password and master password, but it’s not always easy to remember your 2FA backup codes.
Thank you for the update on Icedrive. I’ve removed them from the list. I could have sworn all accounts got end-to-end encryption when I did my test years ago, but today that is not true. I do suggest paying for the encrypted cloud storage, especially ones that offer lifetime plans, so you don’t have to worry about them deleting your account for inactivity.