Hot Topics
Security Bloggers Network 
SBN

4 Ways to Store Backup Codes, Keys, and Seed phrases

by Avoid The Hack! on April 26, 2023

Backup codes, keys, and seed phrases are important if you lose access to multifactor authentication (MFA) methods or are otherwise completely locked out of your accounts.

There are many methods to store backup codes, keys, and seed phrases. Some methods may be better for certain situations and/or users than others.

Different solutions have differing pros and cons – it’s important to weigh these when deciding how to store backup codes and seed phrases.

Importance of backup codes, keys, seed phrases

Strong(er) MFA methods, such as Time-based One Time Codes (TOTP) place the onus of account recovery almost squarely on the users shoulders; usually recovery is performed using backup codes or seed phrases only the user should have access to. This is not as scary as it sounds and should not be an excuse to use weaker MFA methods like email or text message (SMS).

Always be sure to use strong MFA methods, like TOTP or FIDO2 (hardware keys).

These backup codes are typically given after the user established a strong(er) MFA method for an account, such as TOTP. The time between this and when a backup code might be needed could be long – as such, it is important to safely and immutably store these codes.


yellow semi-transparent cloud icon on dark background with blue lines

While loss of access to MFA apps may seem wildly unlikely, some common scenarios could indeed make these more likely – and highlight the importance of keeping backup codes and seed phrases – such as:

  • Change of smartphone
  • Loss/theft of MFA device (such as a smartphone)
  • Awry authenticator app changes/lost codes/lost secrets/etc

With seed phrases and keys, failure to safeguard these could result in a permanent loss of data or assets. Seed phrases are commonly associated with cryptocurrency wallets and blockchain-based applications, such as private messenger Session. Seed phrases can function as backup codes in practice; they are frequently used for transferring data between devices, without starting a “fresh” wallet or account.

1. Writing down codes

More conventional advice urges users to write down backup codes. This is usually a quick method that requires little effort besides coughing up pen and paper – which most people have on hand at their desks/workspaces at just about any moment.

While usually good enough for both security and contingencies where the backup codes are actually needed, users should use care when writing down codes. At the bare bones, users will want to make sure the codes are transcribed correctly, legible, and stored in a safe-ish location.

Transcription


a fountain pen hovering over words on paper

In this case, transcription of the code is writing it down on paper. If you write the code down wrong, then it will do you absolutely zero good in the case where you might need it.

To be sure the code or seed phrase is transcribed correctly, it is good practice to test them as if you were using your written transcription to recover an account – a “table-top” exercise, if you will. In your tests, you’ll want to simulate:

  • Not having access to your MFA method
  • Not having any other form of the backup code/seed phrase other than the written-down version
  • Possibly not having your password or another method of MFA configured on the account

Note: Some codes can only be used once.

If you choose to write down backup codes, then you’ll want to ensure they’re legible and resistant to fading. General advice says to avoid writing down codes in pencil, which is prone to fading compared to using a pen or sharpie marker.

For best legibility, users should take their time in actually writing down the codes. Be aware that L can be easily mistaken for a lowercase I or the number 1. The letter O can be mistaken for the number 0. To alleviate these common transcription errors, users may want to make sure there is a clearly difference between letters, numbers, and symbols (if applicable.)

You should also transcribe the code exactly as you see it – it may be case sensitive! If you accidentally record a lowercase g where it should have been uppercase, then it may spell problems for you later on when you go to use the code.

Safe storage location

For physical mediums, the storage location of the medium is perhaps the biggest factor in its security and integrity; the paper on which you write down your codes should be kept in a safe location.


hallway of storage units with orange doors

When considering a safe physical location, at minimum users should ensure the storage location is one where they have primary access and control. Users should also be aware of who, if anyone, has direct access to this storage location.

In households with live-in family members and roommates, it’s possible for snooping and/or accidental destruction/throwing away of notebooks or papers that contain backup codes or seed phrases; so, generally, it’s best to pick a storage place that limits these plausible scenarios.

2. Print out codes

Many services will encourage users to print out backup codes/keys and seed phrases.

The main issue here: Do you have a printer? (I know I don’t.) For this reason alone, other suggestions in this post for storing backup codes – including writing down codes – may be a more fitting idea for many users.


black canon printer with image of leaf being printed

If a user does not have a printer, there do exist printing services – such as those offered at an office supply store.

However, there could be “operational security” (OpSec) issues with using a third-party printing service; users are typically asked to email their document to be printed to the printer’s queue. But who also has access to the document in the queue? Are there any retention periods for the emailed document(s)? Answers to these questions would depend on the printing service’s privacy policy.

3. Upload codes to encrypted cloud providers

For ready-access to backup codes in a situation where using one is needed, users could use a trusted cloud storage provider to store these codes. A cloud storage provider would provide seamless access to the codes, which should fit just about any situation where quick access to the codes is needed.

Users should ensure (at least, to the best of their ability) the cloud provider uses zero-knowledge encryption to store files. Many cloud storage providers still have direct access to file metadata, such as file type and size.


blue cloud icon on darker blue binary background

Many cloud storage providers (and third-party service providers doing business for the cloud provider) retain the keys to decrypt

*** This is a Security Bloggers Network syndicated blog from Avoid The Hack! authored by Avoid The Hack!. Read the original post at: https://avoidthehack.com/store-backup-codes

Avoid The Hack! , ,