Passlock

What Is a Recovery Code and Why You Must Save It

2FA & Passkeys3 min read

Recovery codes are easy to ignore when you set up two-factor authentication — and that mistake locks people out of their own accounts every day. A recovery code is a backup key that gets you into an account when your normal second factor is unavailable. Understanding and saving them is just as important as enabling 2FA in the first place.

What recovery codes are

When you turn on two-factor authentication, most services give you a set of one-time recovery codes (sometimes called backup codes) — usually a list of eight to ten random strings. Each works once as a substitute for your normal second factor. They exist for one scenario: you cannot use your usual 2FA method.

Why you need them

Two-factor authentication is great until the day you lose access to your second factor:

  • Your phone is lost, stolen, or broken.
  • You get a new phone and forgot to move your authenticator app.
  • Your SMS number changes or your SIM is swapped.
  • Your hardware key is misplaced.

Without your second factor and without recovery codes, you can be completely locked out — and because 2FA is doing its job, customer support often cannot simply let you back in. Recovery codes are your safety net. People who skip saving them sometimes lose access to important accounts permanently.

How to store recovery codes safely

Recovery codes are powerful — anyone who has them plus your password can get in — so treat them like a spare key:

  • Do save them somewhere durable and secure. Options include a printed copy in a home safe, or an encrypted note in a password manager.
  • Do keep them separate from your main second factor, so a single lost device does not take both.
  • Do not store them in plain text in an obvious place like a desktop file or an unsecured note.
  • Do not photograph them and leave the image in your unsecured camera roll.

This is one case where writing something down — securely — is genuinely good practice. See should you write down passwords.

Recovery codes and your password manager

A password manager is a natural place to store recovery codes alongside the account they belong to, since the vault is encrypted. If you keep your second factor on a separate device, storing the backup codes in your manager is a reasonable balance of safety and accessibility. On a Mac, Passlock keeps your passwords — and any secure notes like recovery codes — offline in the encrypted Keychain, so they never leave your device.

A quick checklist

  1. Every time you enable 2FA, locate the recovery codes.
  2. Save them somewhere secure and durable.
  3. Keep them separate from your everyday second-factor device.
  4. Regenerate them if you ever suspect they were exposed.

Enabling 2FA without saving recovery codes is like installing a great lock and throwing away the spare key. Take the extra minute — your future self will thank you.

Frequently asked questions

What happens if I lose my recovery codes and my phone?

You may be permanently locked out of the account, since 2FA is designed to stop anyone without the second factor. That is why saving recovery codes securely is essential.

Where should I store recovery codes?

Somewhere durable and secure, such as a printed copy in a home safe or an encrypted note in a password manager, kept separate from your everyday 2FA device.

Keep reading

What Is Two-Factor Authentication (2FA)?

2FA means a stolen password alone can't get into your account. Here is how it works and which method is strongest.

Authenticator App vs SMS 2FA: Which Is Safer?

Both add a second factor, but SMS has a real weakness: SIM-swapping. Here is why an authenticator app is the safer default.

Should You Write Down Your Passwords?

The advice to never write down passwords is too simple. Paper has real strengths and real weaknesses. Here is the nuance.