Whenever possible, I use 2FA. However, I've been wondering what to do with one-time backup codes that many apps give you when setting up the 2FA.<p>If you are not storing them in a secure manner, then using 2FA is not really an additional layer of security. Plain text is obviously wrong. However, even using your password manager would not make much sense, as if someone gains access to it, 2FA will not protect you from anything.<p>So, what do you do? Do you simply not keep them?
What kind of threat scenarios are you looking at ?<p>> If you are not storing them in a secure manner, then using 2FA is not really an additional layer of security.<p>Even if you simply have them written on a post-it note glued to your monitor people would have to physically break in your home to access them, which to me sounds like a very big additional layer of security for most people (as in: it won't happen unless you're a target for something big). Back them up to an off site (physical or digital) locations in case of a fire/flood/&c.<p>> However, even using your password manager would not make much sense, as if someone gains access to it, 2FA will not protect you from anything.<p>If that's how you see it then nothing is "safe". Memorising them ? Storing them in a physical bank safe ?<p>I wouldn't sweat it unless you're a person of interest in which case you'd probably already be in contact with security professionals.
- Password manager for both password storage and 2FA OTP generation. (Not the best practice, but the convenience is worth the trade-off.)<p>- Password manager for almost all 2FA backup code storage. Both the best place and the dumbest place to store these. "The best" because it's pretty secure; "the worst" because it's a single point of failure AND if I can access my password manager I already have access to my 2FA OTPs. I regularly make an encrypted backup of my password vault.<p>- Authy for 2FA OTP generation for my password manager.<p>- A printed card in my wallet for 2FA backup codes for my email account and password manager. Password manager master password is kept in a safe (in case I get hit in the head and forget it).<p>This isn't perfect, but it fits my risk profile.
You can use Authy, the restore feature works great. You simply have to save the recovery key somewhere safe. You also have to thrust the developer here (Twilio) in this case.
I don’t bother with the backup codes. Instead, I store the QR code used for setting up the 2FA functionality.
When I get a new phone, I can scan all the QR codes and immediately be back ready to go. If I lose my phone for whatever reason, I can do similarly. Although in that scenario I would also have to redo the 2FA and regenerate codes, considering the lost phone to be compromised.<p>I do the QR codes rather than whatever recovery codes just because every site seems to do recovery codes differently. The QR codes work consistently everywhere.<p>As far as how i store them, I keep encrypted digital copies. Not synced with cloud or anything.
I take a screenshot of the QR codes and save the images directly into my password manager and a private git repo.<p>> <i>If you are not storing them in a secure manner, then using 2FA is not really an additional layer of security</i><p>My worry is not someone hacking into password manager but rather someone doing a driveby hacking using old/leaked passwords. Therefore I optimise for convenience.
I store my passwords in Bitwarden and my 2FA info in a local Keepass database. I don't feel comfortable putting both in the same place and find Bitwarden far more usable day to day.
Like many, I used to store the otp seeds in offline secure "bugout" storage, but I came to see that this pushes totp even further away from "something you have" than it already is. So I just store the emergency recovery codes in the bugout storage now, and treat a token wipe as a rare enough event that I can tolerate it. At least you'll be notified if someone compromises your recovery codes.<p>You're right to be reluctant to keep them in a password manager for sure
How about: store the otp secrets as well as the backup codes in an encrypted file/hashicorp vault/keepass (not with other passwords)/Authy, with the encryption keys being stored on USB flash drives and yubikeys, which can be put both on your keychain and in a physical safe. Many possible variants of this for different use cases.
You should read “This World of Ours” by James Mickens. <a href="https://www.usenix.org/system/files/1401_08-12_mickens.pdf" rel="nofollow">https://www.usenix.org/system/files/1401_08-12_mickens.pdf</a><p>It’s informative and funny. Mossad or not Mossad?
I use Microsoft Authenticator App, which has an option to backup secrets to OneDrive. I now use it for all services which support 2FA setup via QR code, including Google accounts.<p>Previously it was Google Authenticator, which didn't seem to have a backup option.
I store the TOTP seed and backup codes in plain text files in an encrypted filesystem. I copy the filesystem blob to a couple of USB keys every month or so and store the keys in safes.
Yep, have been using an encrypted file on Dropbox to store this. But clearly, it's a security hole potentially. So, curious what are other options there.