Guide
How to Safely Back Up Two-Factor Recovery Codes
Recovery codes are the keys you use when everything else fails. Where to keep them so a lost phone does not become a lost account, without leaving them exposed in plaintext.
When you enable two-factor authentication, most services hand you a short list of one-time recovery codes and tell you to store them somewhere safe. Those codes exist for exactly one moment: the day your phone is lost, broken, wiped, or replaced and your authenticator app is gone. Handled well, they turn that day into a minor inconvenience. Handled badly, they are either lost when you need them or exposed where an attacker can find them.
The tension is real: recovery codes must survive the loss of your devices, yet each one is a full bypass of your second factor. A good backup plan takes both halves seriously.
What makes a good recovery code backup
A useful backup is offline or encrypted, separated from the device it is meant to rescue, findable by you years later, and labeled clearly enough that future-you knows which account each code belongs to. OWASP's guidance on multifactor authentication treats backup and recovery as part of the mechanism itself, not an afterthought, because account lockout is one of the most common real-world failures of 2FA.
Two storage shapes satisfy these properties for most people: paper kept somewhere physically secure, and an encrypted digital copy whose password you will not lose. Using both, stored in different places, protects against both fire-and-flood scenarios and forgotten-password scenarios.
Paper, done properly
Paper is immune to malware, ransomware, and cloud account takeovers, which makes it an excellent medium for recovery codes. SecretPNG's recovery code sheet tool formats your codes into a clean printable sheet with labeled slots for the service name, account, and date, and it runs entirely in your browser: the codes you type never leave your device, and nothing is stored after you close the tab.
Print the sheet, fill in any remaining details by hand, and store it where you keep other important documents, such as a home safe or a locked drawer. For higher-value accounts, keep a second copy in a different physical location. Treat the sheet like a spare house key: anyone who holds it can get in.
Encrypted digital copies
A digital backup is convenient and searchable, but recovery codes must never sit in plaintext in a notes app, an email draft, a screenshot in your camera roll, or a file called codes.txt in cloud storage. Those are among the first places an attacker with access to your accounts or devices will look.
Instead, put the codes in a file and encrypt it, for example into a SecretPNG vault protected by a strong generated passphrase, and store the encrypted file wherever is convenient, including cloud storage. The protection then travels with the file. One caution: do not protect the backup with a password whose recovery depends on the very codes inside it, or you have built a circle you cannot re-enter.
What not to do
A few habits undermine recovery codes badly enough to call out directly.
- Do not store codes in plaintext in email, cloud notes, or chat messages with yourself.
- Do not keep the only copy on the same phone the codes are meant to rescue.
- Do not photograph codes into an auto-syncing photo library.
- Do not put cryptocurrency seed phrases on a recovery sheet or into any browser tool; seed phrases directly control funds and deserve dedicated, offline handling. SecretPNG's recovery code sheet warns against this for the same reason.
- Do not forget to cross off used codes and regenerate the set after several have been spent.
Review it once a year
Recovery setups rot quietly: services get added, codes get used, paper gets misplaced. Once a year, check that you still know where every copy lives, that the accounts listed still matter, and that newly enabled 2FA accounts have their codes backed up too. Five minutes of review is what makes the backup real.
Limitations to keep in mind
- Paper backups can be physically stolen, lost, or destroyed; they trade digital risks for physical ones rather than eliminating risk.
- An encrypted backup is only as strong as its password, and a forgotten password makes the backup permanently unreadable.
- The recovery code sheet tool runs locally and stores nothing, so SecretPNG cannot help you recover a sheet you lose.
- SecretPNG is in beta and not independently audited.