2FA Backup Recovery

The cluster discusses strategies for backing up two-factor authentication (2FA) codes and recovering account access after losing a phone or device, recommending tools like Authy, recovery codes, password managers, and hardware keys to avoid lockouts.

📉 Falling 0.2x Security

4,036

Comments

Years Active

Top Authors

#8871

Topic ID

Activity Over Time

2010

2011

2012

2013

2014

2015

2016

146

2017

256

2018

216

2019

319

2020

292

2021

410

2022

776

2023

642

2024

405

2025

286

2026

Top Contributors

tptacek (21) tialaramex (20) unethical_ban (18) davchana (17) lrvick (15)

Keywords

E2EE OR e.g HN SIM SMS MOST GV stackexchange.com i.e 2fa codes backup phone authenticator backups device recovery 1password access

Sample Comments

alchemism • Jun 20, 2019 • View on HN

Use Authy. 2FA via account instead of device is hypothetically less-secure but as a practice for individual security, far better than being locked out of everything after the misfortune of losing a phone.

aianus • Jul 8, 2017 • View on HN

I have encrypted backups of all my 2FA secrets in two locations. I change phones every year and have never lost an account.

k8sToGo • Apr 10, 2022 • View on HN

Use something like Authy. It supports Backup.Anyways, you are supposed to stash your recovery codes somewhere (not on the phone).

1123581321 • Aug 16, 2022 • View on HN

It’s a good question. A lot of 2FA apps have manual backup/restore functionality. Some have cloud sync (e.g. iCloud sync so your new iPhone has the same app and codes, or 1Password/Bitwarden which has you log back into the app on the new phone with their service login.) These 2FA syncs can be a point of weakness so not everyone uses them.The services themselves (rubygems etc.) also provide a short list of one-time account recovery codes. You’re supposed to essentially print them and

mNovak • Jul 12, 2019 • View on HN

Likewise, it was not fun when my phone with GA suprise died. Many services with 2FA do not provide backup codes. I switched over to Authy for this reason--they allow an encrypted backup of the TOTP secrets.

ww520 • Jan 1, 2025 • View on HN

One of the risks of 2FA is losing access to your accounts after losing the authenticating device. Backing up the 2FA seeds mitigates that risk. The backup needs to be encrypted with the password remembered and stored somewhere. Sounds like it’s a job for a password manager, preferably in an offline local password manager with a different database.

lucasgonze • Jan 21, 2023 • View on HN

This seems like a bug, not a feature.Personally I have Authenticator for day to day use, a Yubikey for restoring access if something happens to my phone, and backup codes.

projektfu • Jul 9, 2022 • View on HN

Why not use something like Authy that's backed up and has a recovery password? I just download it on my next phone and am good to go.

otachack • May 5, 2022 • View on HN

Not that I know of, but you should definitely at least enable a second form of 2FA like the recovery codes OR a second security key, then print/write/store the file/key somewhere. If you lose your primary, then you can use that secondary. Never just have 1 form of 2FA without a fallback.

pwenzel • Jan 19, 2023 • View on HN

1Password stores QR codes and syncs them across any device that has access to your vault. I highly recommend this solution if you're worried about losing access to your 2FA codes. It is also easy to back up.