Where to store your recovery codes?


I would like to know what is the best place to store your recovery codes. Do you store them on a password manager (Bitwarden, 1Password ect), on a drive (Proton Drive ect) or other (external storage, paper ect)?

It is up to you and depends on your own threat model.
In my case, when I used iCloud Keychain, I kept my recovery codes in a password-protected note in Apple Notes .
However, I now use a custom password field in 1Password and delete it after using a code. I hardly ever need to use a recovery code since 1Password generates my TOTP code. But just in case, I still keep recovery codes around.

Standard notes

1 Like

Isn’t it inadvisable to centralise everything in a password manager, the 2FA and recovery codes?

For me and probably most people, relying on a password manager to store all of these is usually sufficient, particularly if a strong master password and 2FA are enabled for the password manager account.

Depends on how much you value your account. If it is very critical, you might want to avoid commercial password managers that can be backdoored or targeted by attackers, set a password that has very high entropy or use a keyfile to replace password (place the keyfile on an encrypted USB stick), use a hardware key and FIDO/WebAuthn instead of TOTP, and write your recovery codes on paper and lock them in a safe.

If you think paper is more unsafe, then you can put your recovery codes in a text file in a hidden VeraCrypt volume.

Of course, if the above is too tedious, then you can just put the codes in your password manager, knowing the risk that if someone break in your password manager, they can bypass both the first and second factor authentications.

1 Like