Accounts, passwords and backups
Where to keep two-factor authentication backup codes
How to store recovery codes so two-factor authentication does not lock you out later.
What you will learn
You'll know how to store backup codes separately and review them before device changes.
Before you continue
Do not store backup codes beside the account password or only on the same device used for sign-in.
Stop and get help before resetting a phone or deleting an authenticator app if you are not sure backup codes or recovery options are available.
Backup codes are for getting back in
Some accounts give you recovery or backup codes when you turn on two-factor authentication. These codes help if your phone is lost, replaced or unavailable.
They are sensitive. Treat them like keys.
Do not keep the only copy on the same phone
If the phone is lost or broken, a code stored only on that phone may be gone too. Keep a separate copy somewhere you can still reach in an emergency.
That might be a printed copy in a safe place or a secure password manager, depending on your situation.
Label codes clearly but carefully
You need to know which account the codes belong to. Use a clear label, but do not add extra information that would help a stranger sign in.
Avoid writing passwords beside backup codes.
Replace codes after using them
Many backup codes can only be used once. If you use one to get back into an account, check the account's security settings and create a fresh set if the service allows it.
Remove old codes when they no longer work.
Review codes before changing phones
Before replacing or resetting a phone, check important accounts, authenticator apps and backup codes. This is much easier while the old device still works.
What to expect
You have a safer plan for storing backup codes away from the device you may lose.
Sources and further reading
- Turn on multi-factor authentication · Australian Signals Directorate
Supports multi-factor authentication and recovery planning guidance.
