Storing Safe: 2FA Recovery Code

I would like to know about your “hacks” in storing your 2FA recovery code for Bitwarden. Since Bitwarden stores all our private data, like passwords, credit cards, etc., everybody should enable 2-factor-authentication (2FA). But again, it might happen that you might not be able to reach your 2FA device, so that you have to use your recovery code in order to access your Bitwarden account. That’s why it is also required to note down your 2FA recovery code. How do you keep your 2FA recovery code safely stored? Do you write it on a piece of paper and stuck it in a wardrobe, or bury it, or what ever. I want to hear about your tips & tricks on this topic.

1 Like

I store it in an encrypted file in a sync service (pCloud).

Pros :

  • I don’t worry about losing it since it’s stored in the cloud and replicated many times.
  • I’m the only one to be able to decrypt it as long as AES 256 remains safe.

Cons:

  • I have to trust pCloud’s privacy policy for them to not make a copy of my file for their own use and try to bruteforce it offline.

I don’t think of any other cons, but feel free to criticize my method :slight_smile:

1 Like

You could always go with the “on an encrypted flash drive in a safety deposit box” method.

1 Like

The best solution I ever heard was to use KeePass to store the login info for Bitwarden along with the recover code. It also doesn’t hurt to keep all the info you need for your emails along with their 2FA codes in the KeePass file because that is about all you need to recover any accounts if something were to happen to Bitwarden.

Just make sure the password you use to lock the KeePass file is long (20+ characters) and something you’ll remember.

Store the KeePass file on a Flash Drive along with the installer to install KeePass so you got version control. Keep one flash drive in your home and another not in your home in case of fire or other natural disasters. Every year set a reminder to plug in the flash drive to keep it up and alive and to make sure it hasn’t gone bad.

You could even store the KeePass file in a password manager of someone you trust and rest assured they can’t view it without your password. If you’re feeling froggy you could even export all of Bitwarden to CSV and import that into KeePass.

I would recommend you avoid storing the back up on a cloud server that you don’t own. Not because it’s not “safe” as many would assume but you run into the chicken and the egg problem. If the password to the cloud server is in your password manager and you don’t have access to your password manager then you’re double screwed.

1 Like

I love seeing different ideas on this subject! However, I am really surprised that all the methods described so far involve digital storing, that is, you keep your 2FA recovery codes on the form of bits and bytes on an electronic medium, whether encrypted on a cloud storage or encrypted on a USB storage.

Method of putting your 2FA recovery code on an encrypted flash drive, or encrypting the 2FA recovery file and uploading to cloud, forces you to memorize another long passphrase for the encrypted flash drive or the cloud storage itself. Many users already have around 20 character passphrases for their Bitwarden vaults, so, adding one more passphrase, I would argue, would put more strain on your memory.

I seem to sympathize with the idea of writing your 2FA recovery code on a piece of paper and storing it on a safe place in the house. It can be between the pages of an old notebook, or on a drawer that is out of sight, with no indication on the paper itself that is signaling that it is a recovery code for your Bitwarden vault. However, this method also has its risks: you might lose the piece of paper that you’ve put your recovery codes on, or someone might throw it away, or you might not always reach it (since it is at “home”), etc.

I also agree with this point of view. You are storing all your login data in a Bitwarden vault. But then, you store 2FA recovery codes for your Bitwarden vault -in an encrypted form- on a cloud. So, where are the passphrases for the cloud account and your 2FA recovery code file stored? On the Bitwarden vault? Chicken and egg problem.

Could simply store the info on paper and be done with it. The only thing I would suggest is store a back up copy not in your home incase of fire or other natural disasters.

Print -> Laminate -> Safety deposit box

I keep mine written on a piece of paper in a fire-proof safe.

I tend to do that with my master password in a wallet (with some sort of anti-theft feature).

I’ve been using the same master password for some time now, and I’ve been wondering what I’ll do to memorize fast and keep it safe. (Believe me, I’ve been asking this for a long time. xkcd password generator was the best that worked for me so far.)

My handwriting is horrible, which makes it almost incomprehensible. That’s why I prefer to type all the time.

1 Like

I keep mine stored in a GPG-encrypted file stored on 3 computers, at least one of which is in a remote location.

I print out multiple copies of the recovery code and scatter them amongst my personal property. Wallet, bag etc.

My handwriting is horrible, which makes it almost incomprehensible. That’s why I prefer to type all the time.

I identify with this comment on a spiritual level.

2 Likes