2fa backup-codes totp security family-finance securekeep

Where to Store Backup Codes Safely (And Share Them With Your Spouse)

Backup codes are the keys to your accounts when your phone is gone, your authenticator app is wiped, or your spouse needs to log in without you. Here is how to store them safely, why they belong somewhere different than your TOTP secret, and what most people get wrong.

A small key resting on a wooden surface, representing a spare key kept somewhere safe.

Backup codes are the spare key. They're what gets you into your accounts when the lost-phone day arrives, when your authenticator app gets reset, or when your spouse needs to log into the household Netflix account without your phone in the room.

They are also one of the most-mishandled artifacts in personal security. Too many people screenshot them and forget where the screenshot lives. A surprising number leave them in the email inbox where they were originally generated. Some people memorize them once, lose the printed copy, and end up locked out anyway.

This guide covers where to store backup codes so they're there when you need them — and where not to store them — and why they belong in a different field than your TOTP secret.

What Are Backup Codes, Exactly

When you turn on two-factor authentication (2FA) on a service — Google, GitHub, your bank, your email — you typically get two things:

  1. A TOTP secret. This is the seed value that your authenticator app uses to generate the rolling 6-digit codes you see when you log in. The seed itself is set up once (often by scanning a QR code) and used invisibly thereafter to produce a new code every 30 seconds.
  2. Backup codes. Usually 8 to 10 single-use codes (often 8 digits each), printed on a recovery page during 2FA setup. Each one is good for exactly one login if you've lost access to your authenticator app.

These two things solve the same problem (proving you're you) using different mechanisms. They are not the same thing. Conflating them is one of the most common mistakes in 2FA hygiene.

A TOTP secret never gets used up. It produces a new code every 30 seconds, forever. If you have the secret, you have ongoing access. If a TOTP secret is exposed, you lose your second factor — anyone with the secret can produce the same codes you can.

Backup codes are single-use. Once a code is used, it's invalidated. The full set is your fallback. If you lose access to your authenticator app and your backup codes, you're locked out and have to go through the service's account recovery flow — which usually takes days, sometimes weeks, sometimes never resolves.

The asymmetry matters: the TOTP secret needs to be hidden carefully; the backup codes need to be reachable in an emergency. Different storage requirements. Different threat models.

Why Backup Codes Need a Different Home Than Your TOTP Secret

If you store both your TOTP secret and your backup codes inside your authenticator app, you've collapsed the redundancy. Lose the phone, lose the authenticator app, lose access to both. The backup codes are supposed to be the fallback for the authenticator app being unavailable. They cannot live inside the thing they're backing up.

The same logic applies in reverse: if you store both inside a single field of a password manager labeled "2FA notes," you lose the architectural distinction. Some apps will only let you reach that field by unlocking the manager — which is fine, until the day you can't unlock the manager (because your master password slipped your mind, because biometrics failed during a bad finger cut, because the phone is dead). At that moment, the backup codes don't help.

The pattern that works:

  • TOTP secret lives with the credential, ideally in a structured field tied to that credential, encrypted at rest, only accessible via your master password or biometric.
  • Backup codes live with the credential too — but in a separate structured field, so an emergency view, a print export, or a trusted person can get to them without revealing your TOTP secret.
  • A copy of the backup codes lives somewhere outside the password manager: printed in a fireproof box, sealed in an envelope in your filing cabinet, or stored as part of an encrypted backup file in a separate location.

In v3.0.0, SecureKeep's structured 2FA implements exactly this: a TOTP Secret field and a Backup Codes field on each credential, both masked, both encrypted, both visible to whoever holds the vault — but separately. They are two different artifacts and they finally have two different homes.

The Storage Hierarchy — From Best to Worst

In rough order from "responsible" to "this will hurt you someday":

Excellent:

  1. Inside a structured Backup Codes field on the credential, in your password manager. Encrypted at rest. Reachable through master password or biometric. Plus —
  2. A printed copy in a fireproof box, sealed envelope, or filing cabinet. This is the backup-of-the-backup. It's how your spouse reaches the codes when your phone is also gone.
  3. A printed copy with a designated trusted person. Sealed envelope with a clear label. The person doesn't open it unless an actual emergency requires it.
  4. An encrypted backup file of your password manager, stored in a location separate from your phone (a fireproof safe, a USB stick at a sibling's house, an iCloud Drive folder you're confident in). This contains everything, including the backup codes.

Acceptable:

  1. A note in a secure-notes feature of your password manager, not the same field as the TOTP secret. Encrypted, reachable via master password.
  2. A photograph of the backup codes printout, stored in your password manager's encrypted document section. This works but adds friction — you can't paste a code from a photo, you have to read it visually.

Risky:

  1. A screenshot in your phone's Photos app. Not encrypted at rest in the way most people think. Indexed by Spotlight or Google Photos. Synced to iCloud or Google Photos by default. Shows up in shared albums by mistake.
  2. In your email inbox, where the recovery email arrived. Forever. Searchable. If your email account is breached, every backup code you've ever received is also breached.

Don't:

  1. In a Google Doc, Notion page, Dropbox file, or any unencrypted cloud document. None of these are designed for credential storage. Indexed by the platform's search. Visible to anyone with read access if you ever shared the document.
  2. In a text file on your desktop. Plaintext. Searchable. Visible to anyone who borrows your laptop.
  3. Memorized. Backup codes are 8 digits each, 8–10 of them, single-use, generated by a service every time you reset 2FA. Memorization is unrealistic and the codes change anyway.
  4. In the same authenticator app that produces your TOTP code. Collapses the redundancy. Lose the phone, lose both.

How to Share Backup Codes With Your Spouse

This is the part most articles skip. Backup codes aren't just for your own future-self — they're for the people who depend on you.

The household pattern that works:

  1. Each adult has their own vault on a shared family device. SecureKeep's multi-vault model is built for this. One iPhone (or one Android phone) holds your spouse's vault, your parent's vault, and your own vault. Different master passwords. Different content.
  2. Each vault has its credentials with structured TOTP secrets and backup codes. Both fields are encrypted and masked. Either spouse can reach them by unlocking the appropriate vault on the shared device.
  3. The trusted person (spouse, adult child, parent) knows where the device is and the master password to the vault relevant to them. This is usually communicated via a physical Emergency Card export — printed, sealed, and stored somewhere safe. The Emergency Card itself doesn't contain backup codes, but it documents how to reach them.
  4. Periodically, a printed copy of the highest-priority backup codes (email, banking, password manager itself) is updated and refreshed in a fireproof box at home. Out-of-band. The household maintains a calendar reminder once a year to refresh this.

The point isn't that any single mechanism is perfect. It's that redundancy plus structure plus a clear handoff is how households actually pull this off.

A Few Account-Specific Notes

Email. Your email is the single highest-value account in your digital life — it's the password reset path for everything else. Generate backup codes for your email account specifically, store them in your password manager and on paper in a fireproof box. If you only do this for one account, do it for email.

Bank accounts. Most banks generate backup codes during 2FA setup. Some banks (especially in the US and UK) also send a SMS code as a fallback, which feels safer but isn't — SMS-based 2FA is vulnerable to SIM-swapping attacks. Where possible, prefer authenticator-app 2FA backed by stored backup codes.

Password manager itself. This is the meta case. If your password manager has 2FA enabled (1Password, Bitwarden, LastPass — all support this), your backup codes for the password manager cannot live inside the password manager. Print them. Fireproof box. Done.

Government services. Some government 2FA implementations don't issue backup codes — they require you to call a phone line for recovery. Document the recovery phone number in your password manager so it's reachable when needed.

A Field-Level Walkthrough in SecureKeep

In v3.0.0, when you add or edit a credential in SecureKeep, the 2FA section has two structured fields:

  • TOTP Secret — for the seed value (typically a long base32 string, or scanned from a QR code). Masked when displayed.
  • Backup Codes — multiline field for the recovery codes you saved when 2FA was set up. Masked when displayed.

Both are encrypted with the vault's data encryption key (AES-256-GCM) before being written to disk. Both are reachable only after master-password or biometric unlock. The two fields are deliberately separate so that a future export, an emergency view, or a trusted-person handoff can surface backup codes without revealing the TOTP secret — and vice versa.

If you have credentials from earlier versions of SecureKeep where 2FA information was stored in a single twoFactorInfo field, the v3.0.0 migration moves that content into the Backup Codes field on first edit. The migration is one-way and conservative — your data is preserved, just placed where the structured model expects it.

Frequently Asked Questions

Are backup codes encrypted in SecureKeep? Yes. Backup codes are stored in a structured field on the credential, encrypted with the vault's per-vault data encryption key (AES-256-GCM) before being written to disk.

Can I print my backup codes from inside SecureKeep? Not directly today. The Emergency Card export is the closest equivalent — you can document where backup codes live and how to reach them on the printed Emergency Card without including the codes themselves.

What happens to my old twoFactorInfo data? v3.0.0 migrates legacy twoFactorInfo content into the new Backup Codes field on the first edit of each affected credential. The migration is conservative — original content is preserved.

If I lose my phone AND my paper copy of backup codes, am I done? Through your password manager: not necessarily, if you have an encrypted backup file stored elsewhere (cloud drive, USB stick, with a trusted person). Restore the backup, retrieve the codes. If both the device and all backup paths are gone, you'll fall back to each service's account-recovery flow — which is usually slow but not impossible.

Should I store TOTP secrets and backup codes in two different password managers? Generally no — splitting your second-factor across two managers creates more failure modes, not fewer. Better: one password manager with structured fields, plus an out-of-band copy of the highest-priority backup codes (email, banking) on paper.

What about Yubikey or hardware security keys? Hardware keys replace TOTP for many services. If you use a hardware key, your backup codes serve as the fallback if the key is lost. SecureKeep doesn't manage hardware keys directly, but you'd still store their associated backup codes in your vault.

My service uses SMS-based 2FA. Where do I store anything? SMS doesn't have backup codes the same way authenticator-app 2FA does — the fallback is the SIM card itself. Better practice: change the service to authenticator-app 2FA where it's offered, then generate backup codes from there.

Related reading:

SecureKeep is a $7.99 one-time-purchase encrypted vault for iOS and Android. Multi-vault, emergency cards, voice messages, password health, structured 2FA with separate backup-codes storage — all encrypted locally, no cloud account required. See all features →