How to store 2FA codes safely
Two-factor authentication is one of the best things you can do for your security — but a lost phone or a misplaced backup code can lock you out for good. Here's how to store 2FA codes so they're both safe and recoverable.
The three things people lose
When we talk about '2FA codes' there are really three different secrets, and each needs a plan:
- TOTP secrets — the seed behind the rotating six-digit codes in an authenticator app.
- Backup / recovery codes — one-time codes a service gives you when you enable 2FA.
- Recovery keys — longer keys some services issue to regain account access.
Do: keep an encrypted backup of your TOTP secrets
The classic mistake is setting up an authenticator app that lives only on one phone. Lose the phone and you lose every code. Use an authenticator that keeps an encrypted backup so you can restore on a new device. IronVault's built-in authenticator stores each TOTP secret encrypted with AES-256-GCM and syncs it across your devices, so a lost phone is an inconvenience, not a lockout.
Do: store backup codes in your encrypted vault
Backup codes belong somewhere encrypted, searchable and synced — not a screenshot in your camera roll or a note in plain text. Save them as a secure note in a zero-knowledge vault so they're protected by your master password and biometric unlock, and available when you actually need them.
Don't: store 2FA next to the password it protects — without thinking
There's a genuine debate here. Keeping a TOTP code in the same app as the password slightly weakens the 'two separate factors' principle, because one unlocked vault now holds both. The counter-argument: a zero-knowledge vault protected by a strong master password and biometrics is, for most people, far safer than SMS codes or losing access entirely. If you're a high-risk target, keep your most sensitive accounts' second factor on a separate device or a hardware key. We dug into this trade-off in password manager vs authenticator app.
Don't: rely on SMS where you have a choice
SMS codes can be intercepted via SIM-swap attacks. Prefer app-based TOTP or a hardware security key for any account that offers it.
A simple, safe setup
- Use an authenticator with an encrypted, synced backup for TOTP codes.
- Save each service's backup codes as secure notes in your encrypted vault.
- Print or write one master recovery code and store it offline (a safe, a sealed envelope).
- Turn on biometric unlock so day-to-day access stays fast but protected.
Want codes and logins in one place? See how IronVault combines a password manager and an authenticator in a single zero-knowledge app.
Back to IronVault home · How to Store 2FA Codes Safely