Best place to store backup 2FA codes?

Hello!

I have been setting up 2FA on various websites using 1Password as an authenticator app, and many of them provide backup codes. Is 1Password itself a good place to store the backup codes, considering that it is also my authenticator app? I’ve been putting them in the Notes section of each site, but would it be better to store them in individual password entries? Thank you.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • brentybrenty

    Team Member

    @Leia: I would say yes, but it's up to you. A few things to consider:

    • There is no security benefit to storing them as separate items versus notes in your Login item. Honestly, I use the Notes field too, though I know some people create custom fields for backup codes, security answers, etc. Either way, it's all protected by your Master Password. Make it a great one, and then you don't have to worry about it. :)
    • Storing your two-factor "backup/recovery code" separate from 1Password and/or using a completely separate authenticator app is, depending on how you look at it, more true to the "second factor" concept (though I'd argue that "time" can also serve as a second factor, and you would not be giving that up).

    However,

    • 1Password is the safest place I can put anything digital, so, in the absence of a good reason not to store something there (depending on the use case or my own personal threat model), I will default to that. After all, both we the folks who make 1Password and we the people using it are equally motivated to keep it secure because of the important stuff its used for. So while "don't put all of your eggs in one basket" is a common aphorism, I'd rather keep everything in a single, super-secure "basket" than having to try to manage multiple storage facilities and "keys" to protect them.

    You may also be interested in another recent discussion on a related topic:

    Separate account for backup / recovery codes vs printing physical copy?

    I hope this helps. Let me know what you think. Happy New Year! :)

  • I tend to disagree here. Let me explain

    1passwords master password use isn't authentic 2fa in the NIST sense, but I understand why they call it that. Its more of an MFA process.

    The option was:

    1) 1password:
    Master password
    key
    Password for site and your 2fa code

    2) 1password:
    master pass
    Key
    password for website and a separate non 1password associated 2fa code

    Assume the best but prepare for the worst. Assume your 1password is the single source of compromise for either scenario. You can see that the second option is better security wise with a lose of convenience.

    A half way point may be to use 1password and place your 2fa into a standalone non syncing vault. That's a lot of work.

    Personally, those backup codes are meant for backup purposes. Worst case scenario. Place them on an etched piece of metal and put it into a lock box. Create a separate thumb drive with your export of 1password backup (you should be doing that already) and put it all an an encrypted container along with those 2fa backup codes.

    If things continue as it has for the last few years, slowly those codes will be less and less prominent IMO. Passwords are the new second factor. Hardware tokens are capable now of logging you in automagically and some services have moved to make a password that second, optional auth method.

  • BenBen AWS Team

    Team Member

    1passwords master password use isn't authentic 2fa in the NIST sense, but I understand why they call it that. Its more of an MFA process.

    That really depends on how you configure TOTP for your 1Password account, I think. If you only store your 1Password account TOTP secret in a device (or devices) like a Yubikey I'd argue that it is "true" 2FA.

    Ben

  • brentybrenty

    Team Member

    @notauser: I don't believe I or anyone else here has said that the Master Password is a second factor. I think most would agree it's the first. We could probably debate about the Secret Key and/or TOTP though, depending on the context. :lol:

    Anyway, I try to be practical. Most people don't use a password manager at all, and many that do are not prepared to use a second password management system just for TOTP/backup/recovery secrets. So I'm not going to pretend otherwise. But certainly as I went into greater detail on in the other discussion (which seems more relevant to what you want to talk about than this one), it's really up to each of us as individuals, and there are plenty of options. And it sounds like you've found one that suits you. Cheers! :)

  • @brenty Thank you for the input! Very helpful. I think I’ll keep them in 1Password, for now at least! My main concern asking this was, what if I lose access to my 1Password account? Then I wouldn’t be able to access any of my accounts anymore. That’d be really devastating. Though I suppose this is what the Emergency Kit is for!

  • BenBen AWS Team

    Team Member

    Indeed it is. :) And it is possible to print multiple copies of the Emergency Kit and to store it in multiple separate secure locations. For example you might keep a copy in a fire safe in your home as well as a copy in a bank deposit box. If you somehow lose access to all of those things at once you probably have bigger issues you're dealing with. ;)

    Ben

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file