1. 23

Every site I’ve used recommends to print them out and keep them somewhere safe. However if I did that, I would quickly lose them all. What are some good strategies for keeping these safe, yet accessible?

  1. 25

    I put them in my password manager like any other secret.

    1. 3

      It’s not really 2FA then, right? If your pw manager is compromised, then your backup codes for 2FA would be too, which (IMHO) kinda defeats the purpose of two factor authentication.

      1. 4

        I guess it will depend what your threat concern is.

        I’m not overly concerned about my password manager being compromised, but I am relatively concerned about the way any given password is transmitted, analysed and stored when being used.

        1. 2

          I disagree with this analysis: Two-factor-authentication is about having two separate authentication factors (“knowing” (a password) and “owning” (a secret OTP-key, etc.)). While this may derail into a philosophical debate, putting OTP-keys into the password manager doesn’t really negate that, given the purpose of the second factor is still given (the secret is stored in your vault and you derive OTPs so if someone intercepts your password entry they still cannot login given the OTP is spent after a few seconds).

          Arguing that this defeats the purpose is outside of 2FA’s scope, and general care should be taken to secure the password database as a separate matter.

          1. 2

            I use my hardware key as second factor to unlock it. Sites that actually care for 2FA allow me to use FIDO/U2F from my key*.

            *Though you shouldn’t ever use that for microsoft accounts, because an 2FA on microsoft accounts can actually lock you out of your account due to the support of said provider telling your that they can’t “unlock” it when you have a second factor. So you can’t login, because they think you’re using it “wrong”, but they also can’t unlock it. I learned that the hard way when contacting microsoft (yes the hotline) over my windows-key account, because not being logged into the license-account for longer time in your OS is apparently suspicious.

        2. 9

          For less-important sites, I’d just put backup codes in a password manager. Then you only need to print backup codes for a few critical services like email or the password manager itself.

          Totally guessing here, but I feel like the likelihood of different attacks is something like: broken authentication on the site > password breach > SIM swap attack >>> someone breaks into your password manager. So the common attacks are either unavoidable (like if they only support SMS 2FA) or you’re protected no matter where your backup codes are stored.

          1. 1

            Most 2fa secrets, like for Google authenticator, are stored on the server, so I think your second category is the same as the last category for 2fa. They would then have to break the password hash, but you’re pretty exposed at that point.

            Do dark web data dumps contain 2fa secrets ever? Or they just mark the password as bad if they have a 2fa?

          2. 8

            Designate a place in your home or a friend/family home where important documents are stored, put them in a waterproof and fireproof safe and include your 2FA backup codes. It’s significantly harder to lose a safe than lose a sheet of paper and the safe provides resilience against fire and flood, both of which would destroy any computer storage that could contain these codes otherwise.

            1. 15

              The “waterproof AND fireproof” point is important. Fires tend to be fought with lots and lots of water, but many fireproof safes that you can buy at the hardware store are only fireproof. I’ve made that mistake myself.

            2. 6

              A safe. They live next to passports and birth certificates. we have a wall safe but I really should abandon it for a freestanding fireproof safe

              1. 4

                If your threat model does not include people who can without quick mitigation access your residence by (il)legal means, an inexpensive water- and fire-resistant safe is the correct container for this. If your threat model includes these people, hard copies are never safe and you should probably rely on your existing data security infrastructure and ensure that the data is stored in a write-only N of M system (accepts all writes, requires N of M keys to read; implementation left to the reader).

                If your threat model includes people who may have access to the printer’s memory, writing down the backup codes by hand – or even the 2FA code – ahead of storage is appropriate.

                A way I prioritize is this: credentials authorizing access to 100% irreversible actions are the highest value and thus require the highest precaution and security. Credentials authorizing access to actions that are reversible but are time-consuming to do so, or could allow someone to impersonate me, can be grouped in with other high-value data in a provably secure data storage system, e.g. password manager.

                1. 4

                  It depends on the type of 2FA. For TOTP-based 2FA, I use the AndOTP app on Android, which supports manual encrypted backup. I can then store the backup on my NAS, in the cloud, etc.

                  For hardware-based MFA, I keep a spare Yubikey literally locked up. I keep in cold storage a bare minimum KeePassXC database (only holds enough credentials to get me into my most crucial accounts, and from there, I can regain access to 100% of anything crucially important). The KeePassXC cold storage is also literally locked up, but geographically distant from the Yubikey that unlocks it. Of course, the cold storage database uses both a memorized master password and the spare Yubikey.

                  Getting access to both the cold storage database and the backup Yubikey would require two separate subpoenas/warrants from either multiple state agencies or a federal agency (I’m based in the US).

                  So, if my primary Yubikey breaks, or I somehow lose access to my main KeePassXC database, then I can always recover. Recovery would be a huge pain and inconvenience, but in this case, that’s a good thing.

                  And, if I’m in a compromised position, all I’d have to do is break my main Yubikey. I’ve got it easily marked such that I can feel it in my pocket. Should something happen, I could just stick my hand in my pocket, feel for the Yubikey, and break it sight unseen. Access denied. :-)

                  1. 3

                    I do something a bit weird to store 2FA backup codes and other core “secrets”:

                    1. Prepare a set of YubiKeys w/ on-device generated OpenPGP keypairs. Among other things I set good PINs and enable proof-of-presence (ykman openpgp keys set-touch enc on).
                    2. Encrypt secrets (for example, github-recovery-codes.txt) to this set of OpenPGP keys.
                    3. Put the encrypted secrets (github-recovery-codes.txt.gpg) in Google Drive/Dropbox/etc.

                    For me, the advantages are:

                    • The secrets are backed up to the cloud, and if I keep one of these YubiKeys on my keychain I can access them away from home if needed.
                    • Because I’m encrypting secrets to single-purpose, seldom-used YubiKeys that require proof-of-presence (and which I distinguish from my normal U2F/FIDO2/SSH YubiKeys with a bright sticker), it would be challenging even for someone with control of my computer to get at a secret that I didn’t intend to access—as with secrets printed on paper and only typed into the computer when needed, but in contrast with secrets kept in my password manager. This is how I justify to myself that 2FA backup codes stored in this way still constitute “something I have” instead of being just another password.
                    • The secrets are stored electronically, which can be easier to deal with than typing or OCRing printed secrets.
                    • Even if someone takes my safe they’d have a very difficult time doing anything with these secrets without knowing my YubiKey PIN.

                    Obvious downsides include:

                    • It’s expensive to buy a whole extra set of YubiKeys.
                    • This approach requires using GnuPG and various smart card tools, and that all can be uncomfortably fiddly.
                    • I had to write some Python scripts to do things like check the invariant “this collection of .gpg files is encrypted to the correct set of keys”.

                    As other people have commented in this thread, printing 2FA backup codes and putting them in a good fire safe is a sensible and straightforward approach.

                    1. 2

                      index cards, in a fire resistant safe to the rear of my desk. I am at the first floor on a hill, so no flood danger. you do not need the most expensive safe, only against fires… - if someone really wants the codes they will hit you with the proverbial 2$ wrench.

                      1. 2

                        I put the backup codes in the password manager, along with TOTP secrets and passwords. Yes, I also see the weird irony.

                        1. 2

                          I save them in a file, encrypt it and rename it to have a UUID as the file name. I then upload the file to B2 and S3 and store the UUID with the login for the site in my password manager.

                          It at least means you both need access to the storage service, have the encryption key and be able to map the files to the specific site (plus have the username and password) in order to be able to use the backup keys.

                          1. 2

                            I can neither confirm nor deny that I have used Tarsnap[0] for just such a thing.

                            1. https://www.tarsnap.com
                            1. 2

                              I have three security keys: A, B, and C. Key A is on my keyring, which is always in my pocket. Key B is in a folder of important documents in my house. Key C is offsite, at my parent’s house in another country. B and C have a set of printed backup codes attached to them. I also register MacBook and iPhone Touch ID where possible, so 5 keys in total. Few services actually support this ideal setup (e.g. some have max 2 keys, USB key only, no backup codes, force SMS backup, proprietary OTP, or other limitations), so I have a spreadsheet that tracks the status for each service.

                              I don’t feel the need for a safe. Phishing is a much more likely attack, which security keys prevent by design. The backup codes are only for peace of mind in case the security keys stop working. If someone steals a key or the backup codes, they are useless without passwords. For each possible attack scenario (master password guessed, phone stolen, etc.) and loss scenario (master password forgotten, key lost, etc.) I’ve written down a list of actions, e.g. unregistering keys, remotely deauthorizing sessions, etc.

                              1. 1

                                PGP encrypt, save as DNS TXT records