How to keep your safety net ready when you need it.
When available, recovery codes are an important part of keeping your account safe by ensuring you can regain access to your account should something bad happen.
I strongly recommend you create/retrieve them and keep them safe and secure.
The question is: exactly how are you supposed to do that?
Become a Patron of Ask Leo! and go ad-free!
Keeping recovery codes secure
There are two general approaches to saving recovery codes: printing them or saving them in digital form. In both cases, keeping them secure is important. This means storing the printed paper somewhere secure or securely encrypting the digital versions. In either case, be sure to create recovery codes before you need them so you can regain access to your account should you ever need to.
Recovery codes, sometimes referred to as one-time passwords, or backup codes, are codes you generate, save, and then use if for some reason you can’t sign in normally.
Exactly how you get recovery codes depends on the service. Many services offer them as part of their two-factor authorization implementation. Recovery codes are often a safety net for having lost your second factor.
Some codes are long single codes, such as the Microsoft account recovery code shown above. Others are collections of 8 or 10 shorter codes. There are probably other variations as well.
They share a few things in common:
- They appear to be random numbers or strings.
- Typically, each code can be used only once.
- Your ability to provide a recovery code when requested verifies that you are the legitimate account holder and should be allowed access to the account.
It’s that last item that makes it so important to store recovery codes securely: anyone with access to the codes can potentially gain access to your account.
There are two approaches to storing recovery codes securely: print a hard copy or save a digital copy.
Print the codes
This is perhaps the most common recommendation I see when I create recovery codes. It’s also the one I like the least.
The concept is simple: print the recovery codes on paper and then store that paper somewhere secure, such as in a safe or a locked drawer.
I don’t like this technique because unless you print multiple copies and store them in different locations, there’s only one copy of the code. On top of that, the media is volatile, meaning it’s easy to lose due to fire or other issues.
But it’s certainly an easy approach, and if this is what you feel most comfortable with, by all means, print your recovery codes and store them somewhere safely. Just make sure that “somewhere” is indeed safe and secure.
Encrypt the codes
In my opinion, the best way to store recovery codes is to copy them and secure that file with strong, secure encryption.
First, make a digital copy of the code. You can:
- Take a digital picture of the code.
- Take a screenshot of the code.
- Copy/paste the code into a simple text file.
Then encrypt that file. That could include techniques such as:
Storing it as part of your password vault — either with its associated account entry, or as a separate secure note — is also a useful approach, since password vaults are also encrypted by default.
The big advantage of this technique is that it makes backing up your recovery codes a snap. Since they’re securely encrypted, these encrypted files can remain on your hard disk, where they’ll be included in your regular backups.
Always generate recovery codes for accounts that offer them. Hopefully, you’ll never need them, but if you ever lose access to your account, you’ll be very glad you have them.
Store your recovery codes in a secure location that works for you. I prefer the digital approach (I use Cryptomator), but whatever works for you and remains appropriately secure will do.
If you found this article helpful, you’ll love Confident Computing! My weekly email newsletter is full of articles that help you solve problems, stay safe, and increase your confidence with technology.