How to Backup 2FA Seed Codes

Security pros have been urging you to use two-factor authentication (2FA) for years. Along with using a password manager, it’s probably our top recommendation. But if you’re not careful, you could lock yourself out of your own accounts.

seed codes

Options for Setting Up 2FA

When you set up two-factor authentication with a website, you generally have three options:

  1. Using SMS or text messaging to receive your one-time PIN codes
  2. Generating one-time PIN codes using an authenticator app (like Google Authenticator)
  3. Using a hardware key like a YubiKey as your second factor

For most people, I find authenticator apps offer the best tradeoff between security and convenience. Most people have their smartphones with them all the time (unlike hardware keys.) And the time-based one time password (TOTP) mechanism used by all modern authenticator apps is way more secure than text messages.

But there’s one glaring problem with using an authenticator app: if you lose the device running the 2FA app, you may lose access to the 2FA-protected accounts. To prevent this, you need a backup.

Setting Up 2FA Using Seed Codes

When you set up 2FA using an authenticator app, the instructions will look something like the example below. You are instructed to scan the QR code with your authenticator app, which will synchronize your 2FA app with the website. That is, it allows the app to generate the correct 6-digit PIN codes every 30 seconds that will match the one expected by the website. To confirm this, the website will have you enter a code from your app before activating two-factor authentication on your account.

Sample 2FA setup via QR code and authenticator app

Instead of scanning the QR code, you could also manually enter that long random key (like the one starting with “3acg” above). That’s the shared secret that is used to prime the 2FA PIN generation algorithm. We often refer to this secret as a seed code or seed phrase. The QR code is just another representation of that seed code. (You can use this tool to test that, if you want – look for “secret” in the decoded output.)

Crucially, anyone with access to this seed code can set up an authenticator app to generate proper 2FA codes for your account. It will work forever to initialize any TOTP-based 2FA app, on any device, for this account. For this reason, most sites will never show this code again. And most 2FA apps will not reveal it after an account is set up. While that’s good for security, it can also bite you in the butt.

Putting All Your Seeds in One Basket

So let’s say you’ve set up 2FA on twenty of your most important online accounts. Good for you! But then you lose your phone that runs the authenticator app. Now what?

Many online accounts will provide you with “recovery codes” when you set up 2FA, as a one-time backup account access mechanism in case you lose access to your authenticator app. Sometimes you have to generate them by clicking a link/button. I would recommend you do this and save those recovery codes somewhere safe – but probably not in your password manager. (I’ll come back to this later.)

But if you don’t have recovery codes, then what? Well, you’re probably locked out of your 2FA-protected accounts and you may have to go to great lengths to regain access, usually by contacting customer support. The better solution is to back up those initial 2FA seed codes.

Backing Up Seed Codes During Setup

The best time to back up your 2FA seed codes is when you set up 2FA for each account. When you reach the setup instructions like those shown above, you can do one of the following:

  1. Just print off this page – like onto a physical piece of paper – and store it somewhere safe. I usually take a screen shot of the important info and print that. If necessary, you can take a picture of the page with your smartphone and print it later. Be sure to clearly capture the QR code, and if shown, the text version of the seed code or secret. When you print the page, label it carefully so you know which account it’s for, if it’s not obvious from what you printed. When done, delete the image of the page.
  2. If you can see or expose the text form of the secret (like “3acg …” above), then you can write it down somewhere safe. Again, remember to include the website information, so you know which account it’s for.
  3. If you have a second device (could be an iPad or your spouse’s phone), you can scan this code with an app on that device, as well. This will give you a second device for getting the 6-digit PIN codes. You might want to do this, anyway, for accounts you share with your spouse.

Don’t save these codes in a computer file, unless you password-protect the file or put the file in an password-protected folder. In other words, encrypt it. Unprotected files could be extracted by a hacker or malware. (See these articles for help.) If you go this route, be sure the information is backed up somewhere.

I also wouldn’t save the seed codes (or recovery codes) in your password manager. That would be very convenient and it would be fairly safe in most cases. However, if your password manager was somehow compromised, then the thief would have all the information they need to get into your accounts, which sort of defeats the purpose for two-factor authentication. If you can’t bring yourself to do any of the methods above, though, then storing the codes in your password manager is better than nothing.

Backing Up Seed Codes After Setup

So what if you’ve already set up 2FA for a bunch of accounts? How can you back up those seed codes?

If you happen to be using an authenticator app that has cloud syncing (like Authy), then you can enable that service and install the app on a second device. The codes will be synced (copied) to the new device. Both devices will generate the same codes for each account. This may not give you access to the seed codes themselves, but at least you’ll have a second device capable of generating the access PIN codes. (For those of you who don’t mind some command line work, you might check out this project for extracting codes from the Authy desktop app.)

Better yet, if you chose one of the few apps that actually allow you to view your seed codes after setup, then you can reveal them in the app, then write them down or print them out. Some apps also allow you to export all your seed codes (in bulk) to a file. Check out Aegis (Android) or Ente (iOS/Android). You can print the file and then delete it, or password protect the file and make sure it’s backed up.

If none of those options work for you, then you’re stuck with only one very tedious option: disable 2FA on all your accounts and start over. When you re-enable 2FA, you can back up the new seed codes using one of the above techniques. And you might want to take this opportunity to move to a better authenticator app, while you’re at it.

Using Your Seed Codes

Whenever you need to set up a new device, you can just use the saved seed codes to re-initialize any 2FA app for each of your accounts. With those seed codes, the new device will generate the proper codes at the proper time. (That’s the whole point.)

Note that when you set up a new iPhone, you can copy over all the apps and data from the old iPhone to the new one. If you do this, all your 2FA codes should transfer just fine. I’m not familiar with this process on Android phones, but I would guess it works the same way there. Also, if you use a 2FA app with cloud syncing, they codes should sync when you install the app on the new device and sign in. But if you lost your old device or for some reason don’t want to copy all your data over from your old phone, you can use your saved 2FA seed codes to set up your authenticator app on the new device.

UPDATE: Wirecutter (NY Times) has a good article that covers a lot of what I covered here, but has a more extensive discussion on what to do if you lose your 2FA device.

Need practical security tips?

Sign up to receive Carey's favorite security tips + the first chapter of his book, Firewalls Don't Stop Dragons.

Don't get caught with your drawbridge down!

Scroll to Top