Recovery Codes - Backup Access for MFA
About 2 min read
A recovery code (also called a backup code) is a backup authentication method for regaining access to an account when the device used for multi-factor authentication (MFA) is lost or fails. It is typically a set of single-use codes shown only once during MFA setup, and each code can be used only once. Because a broken smartphone or a lost security key can happen to anyone, storing recovery codes in advance is an essential safeguard in MFA operations.
Common Format and Mechanism
The format of recovery codes varies by service, but the most common pattern is a set of ten 8-character alphanumeric codes. Major services such as Google, GitHub, and Dropbox adopt this format.
Example recovery codes (fictitious):
Each code is invalidated after a single use. If all codes are used up, regeneration is required.
The service stores recovery codes in hashed form, and when a user enters a code, it authenticates by comparing the hash values. Used codes are invalidated immediately and cannot be reused.
Safe Storage Methods
Because recovery codes are the "last line of defense for MFA," choosing how to store them is extremely important. If you store them in the wrong place, the recovery codes themselves become an entry point for attacks.
Store them in the secure notes feature of a password manager. They are kept in encrypted form and can be synced across devices. This is the most practical option.
Print them and store them in a safe or a locked drawer. They are immune to digital attacks. However, since there is a risk of fire or loss, it is advisable to store copies in multiple locations.
Saving them in your smartphone's camera roll or a note app is dangerous. They could be unintentionally exposed externally through cloud sync, or stolen by malware.
The Risk of Recovery Codes Themselves Becoming an Attack Target
Because a password plus a recovery code alone grants access to an account, recovery codes are targeted by attackers as a "back door" that bypasses MFA. As account takeover techniques, there have been reported cases of extracting recovery codes through social engineering, as well as cases of stealing an entire password manager database with malware.
As a countermeasure, it is important to apply strong protection to the storage location of the recovery codes itself. If you store them in a password manager, make the master password sufficiently strong and also set up MFA on the password manager itself. If you print them on paper, thoroughly enforce physical access control (safes, locks).
Recovery Flow
Recovery Design in the Passkey Era
With the spread of passkeys, the approach to recovery is also changing. Because passkeys are synced to the cloud through iCloud Keychain or Google Password Manager, the risk of losing access to an account due to the loss of a single device has been reduced. However, when recovery of an Apple ID or Google account itself becomes necessary, conventional recovery codes still remain the last resort.
In corporate environments, a multi-layered design is recommended: in addition to passkeys, register a backup security key, and have IT administrators securely store the recovery codes. The security key deployment guide and what happens when your account is hacked are also helpful references for recovery design.Account security books on Amazon are also useful in practice.
Real-World Use Cases
"My smartphone broke during an overseas business trip, and I could no longer access my TOTP app. With the recovery codes I had saved in advance in my password manager, I was able to regain access to all my accounts, with zero impact on work. If I had not stored them, I think I would have been locked out for several days."
The basics of two-factor authentication also explains the steps for setting up recovery codes.
Was this article helpful?