How to safely store 2FA secret keys and backup codes?

2FA secret keys and backup codes are highly sensitive information. If your account password is leaked but the attacker does not have your 2FA code, logging in may still be difficult. However, if the 2FA secret key is also leaked, the attacker may be able to generate valid verification codes.

Safer storage methods include using a trusted password manager, printing backup codes and storing them in a secure place, saving important 2FA secrets in an offline encrypted file, or using a trusted authenticator app with secure sync features.

It is not recommended to store 2FA secret keys in chat history, public cloud drives, unencrypted text files, screenshot albums, or shared documents. You should also avoid keeping your account password, email password, 2FA secret key, and recovery codes all in the same unsafe location.

For important accounts, it is wise to prepare at least two recovery methods. For example, keep the backup recovery codes provided by the platform and also keep an authenticator app on a trusted device. This reduces the risk of losing access if your phone is lost.

If you suspect that your 2FA secret key has been leaked, log in to the platform as soon as possible, disable the current 2FA setup, bind a new 2FA secret key, and update your password and recovery codes.