Today we’re answering questions that I’ve seen in my comment section many, many times…: What are 2FA backup codes? How do I set them up? And why are they so important?

To get started with this episode, I’m going to assume that you’re already familiar with the different kinds of two factor authentication - sms, app based, and hardware security keys. And you’re probably ready to set up 2FA on your online accounts. If you’re coming into this video without that base understanding of what 2FA is and how it works, watch this series and specifically, this video I did all about 2FA.

Yubico is sponsoring this episode and I’ll share why I think a hardware key is the best option later on in this video, and I have a coupon code just for my viewers!

Now if you’ve ever set up 2FA on one of your online accounts, you may have noticed that after you’d registered your sms number, app, or hardware key to authenticate, the website shows you up to 10 different additional codes and says “hey these are important, write them down.”

These are backup codes. And don’t shrug them off and just skip past that page. They are important, because in the event of a 2FA failure or loss, this is your last ditch option to get access to your accounts. That can be a problem if you can’t use your normal 2FA token because it could prevent you from logging into your account, even though you’re the legit owner of that account. This is why the backup codes exist - to fix that problem.

Why is that a problem though? When we setup 2FA on our accounts, we are assuming that for future logins, we’ll need to input a password, plus a special code that’s sent to your phone via a text message, is generated via an app on your phone, or the 2FA authentication happens when the device you’re logging into is able to verify that you have a hardware key in hand - when you plug it in or tap on it. So, logically, if you lose your phone number, lose your phone with the app, or lose the hardware key, you wouldn’t be able to log in because you wouldn’t have access to that 2FA code or the key to tap on.

This is a major reason why I constantly recommend buying two hardware keys or having some sort of backup in place, and that can include your backup codes! So you can think of backup codes as a failsafe for your accounts. Even if you lose your phone number, if your phone gets stolen or destroyed, or if you lose a hardware key, you could then fall back on your backup codes in order to log in.

So what makes a backup code different than a 2FA code? Well, when you first set up your 2FA settings on an online account, the website will generate several of these unique backup codes, showing them to you in plain text on screen, and telling you to print them out or write them down. Unlike 2FA codes, which are ever changing and do change every few seconds, the backup codes don’t change. You’ll see 10 or so different unique numbers, maybe 6 to 10 digits each, and these are “hardcoded”. Each backup code can only be used once and then it’s burned.

The backup code is a single-use emergency failsafe key. Since a website can’t reset 2FA for you if you lose your key or your phone gets stolen, these backup codes can save you from losing that access.

But backup codes themselves aren’t inherently 100% secure. You may have already caught on to this as I described them, but since they are hardcoded codes, couldn’t an attacker try to input a code over and over again to eventually gain access? Sure they could! In the same way an attacker could try and steal your 2FA code. But remember: they’d also need your password too - this is why it’s important to never reuse passwords, and never share your 2FA login codes with anyone else. 2FA must be enabled on your account to generate those codes in the first place. And you have to already be logged in to access and view those backup codes on your account.

Any plaintext codes that you have to type in could be stolen in a phishing attack, over your shoulder at a coffee shop, or stolen via spyware. This is also why I recommend upgrading to a yubikey and getting a backup one - because if a website supports updated security protocols, you’ll never even see a 2FA code that an attacker could steal - there’s nothing for them to see so nothing they could steal - and if you have a backup key, you can failsafe to that before you ever even need the backup codes. And once passkeys are available on the websites you use, you’ll already have a hardware key that supports ‘em - because many yubikeys already support passkeys! So you can see how security is a holistic mindset, not linear - you need to consider all the potential windows and doors that an attacker could get through, and make sure to lock all of them.

So how do you generate these backup keys? First off, backup codes don’t exist on your account unless you set up 2 factor authentication. These are generated by the website as you set up 2FA or they can be reset AFTER you set up 2FA via the same settings page. For example, if you have a google account, you can set up 2FA via your Settings, Security, 2 Step Verification, then you can add your yubikey, 2fa app, or sms. I don’t recommend sms because of known vulnerabilities with text messaging (I did a video about sim swapping here [link]), so I’d choose a yubikey if the website supports hardware keys, or an app if they don’t. If the website gives me the option to set up a second hardware key as a failsafe, then I’ll add an extra one just in case my first one is lost or stolen. That way I can always go back, revoke the primary one, and use the failsafe hardware key to log in.

If you want to upgrade to hardware keys, then make sure to use my coupon code for a discount on your next purchase. It’s a one-time cost then you can use them for years! Use the code SHANNONMORSE at checkout on yubico.com then come back here and watch my tutorials on setting them up!

Once you have 2FA set up on your account, you can then access your backup codes. These are generated via the website and you should keep them somewhere safe. Since they don’t change or refresh like 2FA codes do, I would recommend keeping them stored somewhere offline, like in a fireproof safe. I wouldn’t keep them in a digital file or printed and stored in my wallet since wallets get stolen and digital files could be accessed by a cyberattacker. If for any reason your printed or written down codes ever get destroyed, you can log back into your account and ask the site to generate new backup codes for you.

Even though backup codes exist, you shouldn’t depend on them. If you’ve used up 9 backup codes and you only have one left, well that means if anything was to happen to that last code, you’d be locked out of your account and nobody could help. So don’t wait til you only have one backup code left to use. If that ever happens, create 10 new codes and replace the old ones.

Let’s say you lost your hardware keys. To enter a backup code into Google, for example, get your backup codes out of your safe or wherever you stored them. Go to the login screen, sign into your google account with your username and password, then click “try another way” when it prompts you for a 2FA key. Here, you can enter one of your backup codes, it doesn’t matter which one, as long as you’ve never used it before to log in. Since you can only use each code once, you may want to cross it off the list after you’ve used it so you can keep track of how many you’ve used.

Do you have questions about backup codes or 2FA? I have a fancy lil playlist on my channel all about 2FA and passkeys that you can check out, and comment below with any questions. Bye yall!