Many websites give you a recovery key or a list of recovery codes that can be us
ID: 657888 • Letter: M
Question
Many websites give you a recovery key or a list of recovery codes that can be used in place of 2FA tokens if you lose your phone or can't access your token generator.
What are the recommended practices when it comes to storing these codes?
Should these recovery codes be stored along with the password in a password manager? Should they be physically written down and stored somewhere safe?
My main concern is the password manager being a single point of failure. If my password manager is compromised, 2FA is essentially worthless on all the accounts that have it enabled.
Explanation / Answer
For your application, I would suggest, storing the recovery keys on plain paper that you put inside a home safe. Thats enough security. They rather steal the phone or 2FA token from you if they really want your account. And physical attacks are very rare. Actually, you dont even need to put them in a safe. You can put them in the desk drawer at home.
But do not store them inside the password manager, since theres a too high risk a trojan will compromise the codes. Once you have unlocked the password manager with the master password, any trojan can compromise any password in your password manager.