editione1.0.0
Updated October 9, 2023After going through the process of configuring 2FA settings, you might get to the end of the steps and see a new term used: backup codes.
Backup codes (or recovery codes) are “break glass” codes that can be used as a backup option in the event something happens with the device you use to generate the two-factor codes.
The list of apps for generating two-factor codes is long and includes Google Authenticator, Authy, Microsoft Authenticator, Duo Security, and others. When you use an app on your phone to generate those codes, it generates keys that are stored on your phone so only your phone can generate the right codes to get into your account. If you experience that horrific moment of losing or breaking your phone, those keys may be lost. All hope is not lost, however, and that is why you are given backup codes at the end of that set-up process.
important Get into a good habit of saving and protecting backup codes, just as you would your password or your 2FA device. Do not just download the file and leave it in your downloads folder, or just skip saving them altogether. Treat these backup codes like the spare key, and protect it the same way you would your normal key. Copy them into your password manager or print them out and keep them stored somewhere safe that others can’t access, like a locked file cabinet or safe.
danger Make sure your backup codes are in a safe place you can remember. If you lose 2FA via other mechanisms and have no backup codes, you could be locked out completely. If you have access to backup codes, in the event that your phone or other 2FA device is lost, damaged, or replaced, you can still find a way in.
Assuming that the steps outlined above have been followed, it is unlikely that you would lose your password at this point—your password is stored safely, and two-factor authenticated to boot.
Account recovery options for a service allow a user to have a backup email or other contact information, or answers to questions on file with the service, to recover access in the event the user forgets a password or otherwise loses access to the account.
danger Setting up account recovery options securely is important because these settings could give an attacker an alternate way to access your account—even if they don’t have your password.