Metal store

Where should you store recovery codes?

Tero Vesalainen/

You’ve taken steps to secure your digital services by enabling two-factor authentication. But what about the recovery codes that a service gave you to access it if the usual authentication method is not available?

You should keep the recovery codes somewhere safe, but more importantly, keep them somewhere you can access them when you need them.

What are recovery codes and why do I need them?

Recovery codes are a fail-safe, a way to bypass additional security measures placed on a service or digital account. They are randomly generated, single-use and usually have at least 16 digits.

You often receive a single code, but you can also receive several, for example when you set up two-factor authentication (2FA) on a Google account. If you receive multiple codes, any of them can be used to authenticate your connection.

2FA Recovery Codes for Google Account

Two-factor authentication requires a second way to authenticate access, often on a separate device. If this device were lost, stolen, or inoperable, you could lose access to the account forever. Recovery codes are an authentication backup, used when 2FA’s second factor is not available.

In the case of a zero-knowledge service, such as cloud storage, a recovery code or key is used in the same way. The recovery code or key is digitally linked to your password. If you forget your password, the recovery key proves that you are authorized to access the account. It is more important to keep this type of recovery code in a safe place because it is used instead of your password rather than alongside it.

2FA is activated, where is my recovery code?

When you set up 2FA on your accounts, there’s usually a clear prompt to generate and upload your recovery code. If you missed it or downloaded a code and don’t know where it is, you can usually generate a new one from the account.

Log in to your account using the 2FA method you configured. The recovery code is usually found in the security section of account settings. You may find your existing recovery code here, or instructions for generating a new one. When you generate a new code, all previously downloaded codes will be invalid. Be sure to keep it in a safe place!

Option 1: print your recovery codes

For most people, storing your recovery codes on paper is one of the most secure methods. The paper cannot be hacked or accessed remotely by anyone. You might lose the piece of paper, but you can easily print multiple copies, keeping one safe at home, another in your purse or wallet, etc.

Until you store the codes with your other login details, there’s not much anyone can do with them, even if they see the print. It’s not a very technologically advanced method, but sometimes the old ways are the best.

Option 2: Store recovery codes in the cloud

Another good option is to store the recovery codes in your cloud storage vault, as long as it doesn’t use two-factor authentication as well. If so, you are only taking the problem one step back.

Storing your recovery codes in a cloud storage vault means you can access them anywhere, as long as you have a way to log in. You can use the cloud storage service you already have an account with or take advantage of the free account offered by almost all cloud storage providers.

When you download recovery codes as a text or PDF file, they are usually given a random file name. If you think you might forget what the file and codes are for, you can give it a more memorable name. Just don’t call the file “LastPass 2FA Recovery Codes” or anything so obvious.

As with most of the other methods we discuss, it’s best to store your recovery codes alone and never in the same place as other login credentials. If you follow this rule, hiding the file behind a fake filename becomes less important.

Option 3: Store recovery codes on a USB flash drive

Storing your recovery codes on a USB flash drive has several advantages. No one can hack it to steal the codes, it doesn’t depend on an internet connection to access them, and they’re easy to carry around.

Most small thumb drives have a hole or a loop so they can be attached to your key ring. And since you’re unlikely to leave your keys lying around in dangerous places, the USB drive and your recovery codes will be safe.

A USB drive plugged into a laptop and attached to a keyring with a physical key.
Omurali Toichiev/

If you choose to use this option, it’s a good idea to use a high-quality USB flash drive. Ideally, choose one with a metal body to reduce the risk of breakage or loss of the disc.

You can also password protect the USB drive, or even encrypt it with BitLocker or another encryption tool. But this requires you to remember yet another password.

Where You Should Never Store Recovery Codes

2FA recovery codes aren’t as sensitive as passwords, at least not on their own. But there are still a few places you should never keep them.

Inside a 2FA-protected service or account

Do not store your password keeper recovery codes in your password keeper. If you enable two-factor authentication on your Google Account, do not store recovery codes in your Google Drive. It may seem obvious, but when you’re used to using one place to store all your sensitive data, it’s easy to make this kind of mistake.

On your computer desktop

Many of us rely on browser password autofill tools these days. If your computer is accessed by someone with bad intentions, they might not even need to know your password. Your computer could grab it for them and, when combined with recovery codes, gain access to your 2FA-protected accounts.

On a sticky note stuck to your monitor

Like the reasons above, if you have your recovery codes on a sticky note and someone manages to physically gain access to your computer, the recovery codes are there. If they manage to figure out the password that comes with it, you’ll be in trouble. But, you might be saying that storing recovery codes on paper is the first option in this guide. It is, and keeping codes on paper is fine, as long as the paper is kept in a private and safe place away from your device.

Store your recovery codes securely

Recovery codes for 2FA are important and you should keep them in a safe place, but it’s more important to keep them accessible.

Using a combination of the methods explored here means your recovery codes are safe and available when you need them. Choose the methods that work best for you and take advantage of the tools already available.

For example, if you already have cloud storage, or if you still have a USB drive on your keys, keep your codes there. And then print them as backup as well.

Here are some final thoughts and tips to keep in mind when storing recovery code:

  • Never store recovery codes with other login information for the account. This includes username, password or account name.
  • Splitting the recovery code into two parts can improve security when stored. Someone who finds the parts of the code cannot use them without recognizing that they must be joined. And even then, they need to know in what order the pieces came in.
  • For your most important 2FA-protected services, such as the password manager that contains all of your account login information, refresh or update recovery codes regularly.
  • But remember, if you refresh your codes, or if you need to use a one-time recovery code, remember to replace the stored code with the new one.

RELATED: 8 cybersecurity tips to stay protected in 2022