← All Tips/RECOVERY
RECOVERY

Print Your Backup Codes

If you lose your MFA device and haven't saved your 10 recovery codes offline, you're locked out forever.

The MFA Lockout Problem

You enabled two-factor authentication. Great. Now your phone breaks, gets stolen, or is simply unavailable when you need to log in. Without a recovery method, you're locked out of your own account — permanently, in many cases.

This happens more than people realize. Lost phones, factory resets that wipe authenticator apps, stolen devices — the exact threats 2FA protects you from can also lock you out if you haven't planned for recovery.

What Are Backup Codes?

When you enable 2FA on most services (Google, GitHub, etc.), they offer you 10 single-use backup codes. These are emergency codes that bypass your authenticator app. Each code can only be used once, and you should store them offline before you need them.

Finding your backup codes:

  • Google: myaccount.google.com → Security → 2-Step Verification → Backup codes
  • GitHub: Settings → Security → Two-factor authentication → Recovery codes
  • Most services: Look in Security or Account settings for "Recovery codes" or "Backup codes"

The Right Way to Store Them

Print them on paper. This is not an aesthetic choice — it's the most secure option:

  • Paper can't be remotely wiped
  • Paper can't be hacked
  • Paper doesn't require a battery
  • Paper survives device failures

Store your printed backup codes:

  1. In a fireproof safe at home
  2. In a safety deposit box
  3. In a sealed envelope with a trusted person

Do not store backup codes:

  • In the cloud (defeats the purpose)
  • In your password manager on the same device as your authenticator
  • In your email (if your email is compromised, so are your codes)
  • In a notes app on your phone (loses everything the same moment your phone does)

Using Authy Instead of Google Authenticator

One practical alternative: use Authy instead of Google Authenticator. Authy supports encrypted cloud backup of your TOTP secrets, protected by a separate Authy password. This means if you lose your phone, you can restore your authenticator codes on a new device.

Tradeoff: cloud backup means cloud risk. Your Authy password and backup encryption matter. Use a strong, unique password.

Emergency Recovery Plan

Document your recovery plan and store it somewhere physical:

  1. List all services where you have 2FA enabled
  2. Location of backup codes for each
  3. Phone number on the account (for SMS fallback where it exists)
  4. Trusted contact who can help verify identity if you need account recovery

Plan for losing everything. The accounts that matter most are the ones that hurt most when you can't access them.

Get your site properly hardened.

The Voice of Cash delivers professional security audits and hands-on implementation.

Speak to a Specialist →
← Previous
Buy a YubiKey
Next →
Scope Your Tokens