WARNING: 2FA is great – but did you backup the seed/recovery key?

So; you realised you need to take security seriously, and are feeling pretty smug having setup 2 Factor Authentication (2FA)- awesome!

But take a minute and a step back – what if you lost your phone/device with your 2FA app, or smashed the screen and the device was not usable?

Sure; there’s ways to recover accounts – but that can result in complete lockouts for security and all kinds of hoops to jump through. Expect a-lot of wasted time and a period where you can’t access your crypto accounts.

So next time you setup 2FA, don’t just take a picture of the QR code – actually record the ‘seed’ and store is securely and separately to your device with your 2FA application installed. Then physically input the seed you recorded into your 2FA application – that way you know you’ve recorded it correctly!

Your sensitivity to risk will dictate what ‘secure’ means to you – for some it will be an obscured note written down and stashed in a fireproof safe, for others an encrypted password manager might do… but just be conscious to make it unusable/not linked to an obvious ‘account’ if anyone else were to come across it.

Just never, EVER store as plain text or as a note on your phone/computer… you may as well not have 2FA if your doing that!!

View Source

20 thoughts on “WARNING: 2FA is great – but did you backup the seed/recovery key?”

  1. The best thing to do is have a backup phone with 2FA replicated on that. Leave it at home and you’ll never be caught out.

    Reply
  2. Recently I changed my phone and lost all 2FA for most of my apps (some random bug). It took about 4h straight to reconfigure and change all apps passwords and stuff. This can be a huge pain in the ass…

    Reply
  3. Implementing a Secession Plan is important also.
    One situation…you memorize your seed phrase and die unexpectedly…all your is crypto lost and not given to who you’d wanted to have it upon your death…
    Crypto Will?

    Reply
  4. Pro tip: use a second (or unused) phone/tablet as a backup for your 2FA. Most 2FA apps can do this.

    Don’t rely on just one device. You might get drunk one day and lose your phone or get robbed.

    Reply
  5. When setting 2fa up with Google authenticator one big exchange, I think it was coinbase, only give a QR code and no recovery phrase. I’m told keeping a picture (Offline of course) of the QA does the trick but I’m not happy with them for it.

    Reply
  6. I used to think the same until I got the idea to have the 2fa app be available everywhere. So I got authy which isn’t the best but is on all my devices, phones , tablets, new and old and has email and voip phone registration. Boom, Backus of backups. I actually have devices I haven’t touched at all except once. Every 6 months I force resync authy and recharge them…the app login can be protected.

    ​

    Iv heard Bitwarden’s 2fa isn’t the best and you shouldn’t trust a subtle app with everything. So my 2fa and password management are seperate. Good Kubernetes though. I do wish bitwarden had secret encrypted notes option though

    Reply
  7. I’ve done that multiple times on Google Authenticator and Authy, and they never fucking work. It’s as if they are terrible options?

    Reply
  8. I put 2FA on a couple authenticator apps. Then I went and bought a cheap ($10) prepaid smartphone just to use as a security backup with copies of those apps. And the codes entered there. I store that in my bug out bag. No sim card in it, it’s just for security apps like this.

    I also use KeePass. That lets you attach the image (screenshot) of the QR code itself in the entry for that website. In case you want to scan it into an authenticator app again in the future. You can add the seed in attachments as well. And KeePass has Time-Based One-Time Password plugins that let you enter the seed and then right clicking on the entry it will give you the security code the same as the authentication apps.

    And the KeePass app I use on my phone works with the stored TOTP entries as well.

    Reply
  9. I‘m backing up all my TOTP seeds. But for crypto it doesn’t make sense, usually what you backup is the 12/24-word recovery phrase?

    Reply

Leave a Comment