Separate account for backup / recovery codes vs printing physical copy?

Currently when I setup 2FA and get a recovery / backup code, I'm storing it within 1Password which is counter intuitive. I know I can print physical copies but I'd prefer not to.

Curious if there are any cons to opening a second 1Password account or using a competitors service just for one time use passwords?

What do you guys do?

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided


  • LarsLars Junior Member

    Team Member

    @GoldenMustache - good question. What you're describing is the difference between 2SV (Two-Step Verification) and genuine 2FA (Two-Factor Authentication). The differences are small (and subtle) but real. However, for most people (me included, as well as many of us), our use-case and threat model isn't such that a genuine second factor is likely to be the difference between getting hacked and not.

    Storing your TOTP secret within 1Password will still prevent a password breach situation (on a well-set up website, anwyay), in that even if a cache of passwords is poorly stored somewhere, and leaks out onto the internet, someone with your password to XYZ site would still need the TOTP code in order to access your data/account. In such an example, having 2SV (stored in 1Password) would be just as effective as having a genuine second factor. A genuine second factor (like a separate device) would be helpful mostly in cases where an entire device is stolen/compromised. So, for example, if your laptop is stolen from a hotel or cafe, or you leave your phone behind on a plane and it falls into the wrong hands. However, (and this is where the whole "threat model" part comes in) even in such a case, an adversary in possession of your phone or laptop would have to first bypass any whole-disk encryption you had on the device itself - or at least know/guess/crack your device passcode, and then ALSO break into 1Password itself. By that time, it's pretty much game over on a lot of levels. If someone can get that far into your devices, you'll have bigger problem on your hands, and they likely won't be spending their time trying to reset your TOTP codes that you have on your genuine second factor device -- at least, not right away.

    None of the above ^^ should be construed as us recommending you NOT use a real second factor, if you feel your situation is such that you would benefit from one. We just offer TOTP within 1Password as a way to increase your security for many situations while doing what we can within our own app to also increase convenience and usability. Hope that helps!

  • Hey @Lars after rereading my post I may have worded what I wanted to ask incorrectly.

    Having TOTP in 1Password isn't my issue.

    It's the static "backup codes" or "recovery codes" that sites provided after you setup 2FA in case someone does get access to your TOTP, similar to the emergency kit you guys provide.

    I'm sure that hacking into my 1Password account is as hard as it gets but that's what I'm worried about not if someone gets into again. Short of getting spam mail, I use unique passwords and 2FA wherever possible so that's not a concern.

    My concern is my actual 1Password account or people who intercept SMS generated codes.

    I know it's a stretch for our use case. I just feel like I don't want to ignore those codes and their instructions.

  • brentybrenty

    Team Member
    edited January 2019

    @GoldenMustache: Thanks for clarifying. I think it's important to take a step back though and define what threat(s) you're trying to defend against. Otherwise you're just making yourself jump through hoops for no good reason.

    There's a lot we could discuss in this regard since different services and the people who use them can have very different contexts and risks associated with them. But in general, if you're saving something outside of your 1Password account because of a concern of what someone might be able to do if they get into your account, and wanting to make sure that they don't get access to everything by doing so, you may want to think again.

    In the vast majority (if not all) cases, services where we'll be using two-factor or two-step authentication have a way to go around that. "Backup codes" and other "recovery" methods are evidence of this: account data is not encrypted with most services, and protected by only authentication (the opposite is true of 1Password). There are usually ways to get into your accounts without the use of a one-time password, a one-time-use backup/recovery code. It's often just a matter of having the right information: answers to "security questions", access to your email address, etc. And of course anyone with access to your 1Password account will probably find these things there. (SMS "security" is similarly defeated using the right information and/or a bit of expertise; phone providers have notoriously lax security.)

    So, if you're thinking you're going to keep someone out of your stuff even if they get access to your 1Password data, you're probably wrong about that. And while it may be possible to compartmentalize things enough to defend against that, it's really building a house of cards that makes it increasingly more likely that you will lock yourself out of something...and ultimately you really don't want someone to get into your 1Password account at all (because of all of the non-two-factor stuff that's saved there too), so it's likely a better investment of your time and energy to do all that you can to keep someone out of your 1Password account in the first place, by using a long, strong, unique Master Password (best accomplished by not having to remember more than one) and practicing good security hygiene to ensure that you don't end up giving your secrets away by entering them into a malicious website, or allowing malware to infect your devices and capture your data as you use it. Put all your effort into securing the most readily-securable thing you have, since you'll have a bad time if it's compromised as long as you have anything of value there.

    And just to clarify, the only way someone is going to get at your 1Password data is by going though you: it's all encrypted locally on your device, and the "keys" needed to decrypt it are only ever in your possession; so even if someone breaks into our server, they can't get what they need to access your data from us.

    However, if you do still want to store some of this stuff separately from 1Password, there are any number of ways you could do that:

    • Save the two-factor "backup codes" in your 1Password account.
    • Create a second 1Password account to save two-factor "backup codes" and similar things (though, where are you going to keep the credentials for that account? probably just kicking the same problem down the street a few yards).
    • Create a local vault to save two-factor "backup codes" (again, then you need to have a backup plan for a second Master Password, if you're not using the same as for the account).
    • Keep two-factor "backup codes" on an encrypted drive/image.
    • Print the two-factor "backup codes" and store them in a secure location, like a safe deposit box.
    • Others I'm not thinking of at the moment -- really, the possibilities are endless.

    Anyway, in the end, it's your data, and you can do whatever you want with it. But hopefully this gives you some ideas that help you make a decision you're satisfied with. Cheers! :)

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file