§ Security
Where to Store 2FA Backup Codes (And Where Not To)
Where to store 2FA backup codes safely: an encrypted notes app or your password manager's secure notes, plus one printed copy — and never screenshots, email, or plain cloud files.
Quick answer:Store 2FA backup codes in an encrypted notes app or your password manager's secure-notes section, plus one printed copy somewhere physically safe. The digital copy must be end-to-end encrypted — Bitwarden or 1Password's notes field works for most people, and a dedicated encrypted notes app like Secure Notes is the better home for the codes that recover the password manager itself, since recovery codes locked inside the account they recover are useless the day you're locked out. The printed copy covers total device loss: a sheet in a fireproof safe or a sealed envelope at a family member's house. Never keep backup codes as screenshots in your camera roll, in email drafts, in unlocked Apple Notes, or as plain text files in iCloud Drive or Google Drive — those are the four places attackers and sync accidents find them first.
What are 2FA backup codes — and why does storage matter?
Backup codes — also called recovery codes — are the one-time-use codes a service hands you when you enable two-factor authentication: usually eight to ten strings like 7c2k-9f4m, each valid exactly once. They exist for the day your authenticator app, phone, or security key is gone — new phone, stolen phone, phone at the bottom of a lake. Each code bypasses your second factor entirely, which makes the set a skeleton key to the account. That cuts both ways. Stored badly, backup codes turn your strongest accounts into your weakest: an attacker who finds them needs only your password, and passwords leak constantly. Stored well, they're the difference between a five-minute recovery and a multi-week support ordeal — Google, Apple, and most exchanges will make you wait days to prove your identity without them. The storage question is the whole game.
Should backup codes go in your password manager?
For most people, the secure-notes section of a real password manager — Bitwarden, 1Password, Proton Pass — is a perfectly good home for backup codes. The vault is end-to-end encrypted with AES-256, syncs across devices, survives phone loss, and you already open it daily. Paste the codes into the notes field of the matching login entry and you're done. There is one genuine exception, and it matters: the backup codes for the password manager itself. Codes whose entire job is to get you back into a locked vault cannot live inside that vault — when you need them, the door they open is the door they're behind. The same circular logic covers the email account that resets your password manager. Those two or three sets need a home outside the vault: an encrypted notes app, or paper.
Is it safe to store backup codes in a notes app?
An encrypted notes app is safe for backup codes if — and only if — it's actually encrypted. Apple Notes without a lock, or any notes app syncing plaintext to a cloud, is not. What qualifies: end-to-end encryption with the key derived on your device, a biometric lock with a short auto-lock timer, and a recovery path that doesn't route through the accounts your codes protect. Secure Notes is built exactly this way — AES-256-GCM encrypted on-device, Face ID, per-folder passwords, ciphertext-only iCloud sync, and a 12-word recovery seedonly you hold — and it's free. The structural advantage over a password manager is separation: codes live in a different app behind a different master credential, so compromising one vault doesn't surrender both. Keep one locked note per service and cross codes off as you burn them.
What's the safest offline option?
The safest offline option is boring: print the codes, or copy them by hand, and put the sheet somewhere fire-resistant and unobvious — a small home safe, a locked filing drawer, or a sealed envelope at a parent's house. Paper cannot be phished, synced, or exfiltrated by malware; its only enemies are fire, water, and people physically inside your home. Don't label the sheet “Google backup codes” in 60-point type — a header like “2FA — June 2026” is enough for you and useless to a burglar in a hurry. Refresh the printout whenever you regenerate codes, and shred the old sheet. For most people, one printed copy plus one encrypted digital copy is the right amount of redundancy: paper survives a total digital wipeout, the digital copy survives the house fire, and no single failure takes both.
Where should you never store backup codes?
The places people actually keep backup codes are the worst ones. Screenshots are the most common and the most dangerous: your camera roll syncs to iCloud Photos or Google Photos automatically, gets indexed by on-device text recognition that makes “backup codes” literally searchable, and keeps deleted images in Recently Deleted for 30 days. Email is plaintext on someone else's servers, and an email breach is precisely the scenario 2FA exists to survive — codes sitting in your inbox hand the attacker who phished your email your second factor for free. Unlocked notes apps and plain text files in iCloud Drive or Google Drive fail the same way: one stolen cloud password exposes everything at once. The pattern across all four: convenience storage puts your codes inside the very accounts and sync systems the codes are supposed to be independent of. Independence is the entire point.
2FA backup code storage options compared
| Storage option | Security | Convenience | Survives phone loss? | Cost |
|---|---|---|---|---|
| Password manager secure notes | High (E2EE vault) | High — synced, searchable | Yes | Free–$10/yr |
| Encrypted notes app (Secure Notes) | High (E2EE, separate vault) | High — Face ID, synced | Yes (12-word seed) | Free |
| Printed sheet in a safe | High (offline) | Low — at home only | Yes | $0 (+safe) |
| Screenshot in camera roll | Very low | High | Yes — for attackers too | Free |
| Email draft to yourself | Very low (plaintext) | Medium | Yes | Free |
| Plain file in iCloud/Google Drive | Low (account-tied) | High | Yes | Free |
A simple setup that covers everything
- Everyday services — banks, email, social, work: paste backup codes into the secure-notes field of the matching entry in your password manager.
- The password manager itself, and your primary email— store those codes in a separate encrypted notes app like Secure Notes, behind Face ID and its own master password, so a vault lockout can't strand you.
- One printed sheet of the highest-stakes codes (email, password manager, Apple ID) in a fireproof safe or with family — the copy that survives losing every device at once.
- Hygiene: delete any existing screenshots (including Recently Deleted), regenerate code sets after using a few, and update the printout when you do.
The same separation logic scales up to higher-stakes secrets — see how to store a crypto recovery phrase for the metal-plate version of this problem, and whether passwords belong in a notes app for where the credential/content line actually sits.
Frequently asked: storing 2FA backup codes
Is it safe to store 2FA backup codes in a notes app?
Yes, if the app is genuinely end-to-end encrypted — the key derived on your device, a biometric lock, and ciphertext-only cloud sync. Secure Notes, Standard Notes, or a locked note in a similar zero-knowledge app all qualify. An unlocked Apple Notes note or any app that syncs plaintext does not. The test: if the app maker could reset your password by email and still show you the note, it is not encrypted enough for backup codes.
Should I store backup codes in the same password manager they recover?
No — that specific combination is the one real mistake. Backup codes for Bitwarden or 1Password exist to get you back into a locked vault; storing them inside that vault means they are unreachable exactly when you need them. Keep the password manager's own recovery codes in a separate encrypted notes app or on paper. Codes for every other service can live in the password manager without issue.
Can I just print my backup codes and skip digital storage?
Yes, paper alone is a legitimate setup — it cannot be phished or hit by malware, and most services let you regenerate codes if the sheet is lost. The trade is availability: if your phone dies while you are traveling, the paper at home does not help you log in from a borrowed laptop. Most people are better served by one printed copy plus one encrypted digital copy that syncs.
Are screenshots of backup codes really that risky?
Yes, and they are the most common storage method. Screenshots sync automatically to iCloud Photos or Google Photos, are indexed by on-device text recognition — searching your camera roll for 'backup codes' literally works — and persist in Recently Deleted for 30 days. Anyone who gets into your photo library, including apps with photo permissions, gets your second factor. Delete existing screenshots, including from Recently Deleted, after moving the codes somewhere encrypted.
Should I delete backup codes after using one?
Each code works exactly once, so a used code is dead — cross it off wherever you store the set. The better habit: once you have burned through two or three codes, or any time you suspect the set was exposed, regenerate the full batch in the service's security settings. Regenerating invalidates every old code at once, which also neutralizes any forgotten screenshot or printout from years ago.
How many copies of my backup codes should I keep?
Two is the sweet spot: one encrypted digital copy that syncs across devices, and one printed copy in a fire-resistant spot at home or with family. The digital copy survives a house fire; the paper survives a total digital lockout. More copies than that mostly adds attack surface — every extra location is another place an attacker or an accident can find them.
Keep reading
Related guides
Recovery
How to store a crypto recovery phrase
The threat model, the four real options, and where metal beats paper.
Recovery
What is a recovery seed phrase?
BIP-39 in plain English and how to back up the seed itself.
Privacy
Storing passwords in a notes app
When a notes app is the right place for credentials — and when it isn't.
Guide
How to lock notes on iPhone
Face ID locks, per-folder passwords, and what each actually protects.