Two-factor authentication (2FA) is one of the most effective tools for protecting our online accounts. With data breaches and phishing attacks rising, relying on passwords alone is not enough anymore. A second verification step, usually a one-time code generated on your phone, makes it harder for unauthorized logins to succeed, even if someone steals your password.

While 2FA improves security, it introduces a different risk. You could get locked out if you do not back up your codes and lose access to your 2FA app. I have seen this happen to people and have come dangerously close myself. I once nearly lost access to my email after a phone reset. After learning the hard way, I put together a foolproof system that ensures I can always recover my accounts, even if I lose access to my device. Here is how I back up my 2FA codes so I never lose access, even if my phone is lost, stolen, or wiped.

Illustration of Google's password manager with the Google logo and warning signs around it.

The problem with typical 2FA setups

Relying on a single app or tool is risky

Illustration of a password manager with passwords, keys, and padlocks

Source: Lucas Gouveia/Android Police

While 2FA dramatically improves security, it also introduces a single point of failure: your authenticator app. You may be completely locked out if your app does not sync to the cloud and you have not saved your recovery options.

But the good news is that some apps now support sync. Google Authenticator introduced cloud syncing in 2023, allowing users to tie their codes to their Google Accounts. Similarly, Authy has long offered multi-device support and encrypted cloud backups. Despite these improvements, many users are still vulnerable. Some use authenticator apps that do not support sync (like 1Password or FreeOTP), while others may skip saving the backup keys and recovery codes during setup.

That is why I do not rely on just one tool or method. I have set up a layered system that combines sync-enabled apps, encrypted offline backups, and old-fashioned redundancy.

For instance, if you use Aegis Authenticator, you must have your system in place since it does not sync anything to the cloud unless you explicitly back it up. The open-source 2FA app for Android stores my codes locally with strong encryption, giving me control over how my passwords are secured.

Here is how I have set up my backup system:

Use a 2FA app with secure local backups

Pick an application that won’t leave you stranded

Password manager on a smartphone screen, with warning signs and question marks around it.

Source: Lucas Gouveia/Android Police

Aegis doesn’t support automatic cloud sync but offers encrypted local backups. Whenever I add a new 2FA account, I export an encrypted backup file from the app. This file is protected by a strong password.

I store these backup files in multiple secure locations. The primary copy is on my encrypted USB drive, stored in a fireproof safe. A redundant copy is in my encrypted cloud storage (I use MEGA). Another copy is on an encrypted volume on my NAS.

This way, even if my phone gets wiped or lost, I can install Aegis on a new device, import the backup, and get all my 2FA tokens back in minutes. The app also supports fingerprint authentication and custom labels, making managing my 2FA library easier without compromising security. Authenticator apps like 2FAS, Yubico Authenticator, and Stratum are also great alternatives.

Save every 2FA secret key during setup

Don’t skip this step

Many services provide a secret key (or setup key) alongside the QR code when enabling 2FA. It’s your universal fallback, so I always ensure to save this key during setup.

If I ever need to re-add the account manually, I can just input this key into any 2FA app that supports TOTP (Time-Based One-Time Passwords), including Aegis, Google Authenticator, or 2FAS. Not all services expose the key by default. So I search for an option like “manual setup” or use a QR decoder tool to extract it.

I maintain a list of these keys in a spreadsheet that includes the service name, email or username, TOTP secret key, Type of 2FA used (TOTP, SMS, hardware key), and recovery codes (if available). The spreadsheet is then encrypted and zipped using 7-Zip with AES-256 encryption. I store this file in secure locations as my Aegis backup. It may sound like overkill, but it’s already saved me before.

Use a password manager for some accounts

It’s convenient for lower-risk scenarios

Six different password managers arranged artfully on an Android phone's home screen

I sometimes store 2FA tokens directly in my password manager for low-stakes services like newsletters, hobby forums, or temporary logins. I use Bitwarden as my password manager since it supports storing TOTP secrets and logins. I treat it as a convenience layer. It is not a replacement for manual backup and redundancy.

Modern password managers like 1Password, Dashlane, and Keeper offer similar features. Just make sure you lock them down with 2FA of their own, preferably using something more secure than just SMS.

However, I don’t use Bitwarden to store 2FA codes for sensitive accounts like my primary email, banking, cloud storage, crypto, or admin tools. Those stay in Aegis with proper backup.

Netflix Kids displayed on a Pixel 8 Pro

Test your recovery strategy

Practice runs help you fix mistakes in advance

I do a dry run once or twice a year to check if everything still works. I simulate losing access to my authenticator app and go through the steps I’d need to restore it.

I reinstall Aegis on a secondary device and check the following:

  • Can I access my cloud backup?
  • Can I open my encrypted archive?
  • Do my recovery codes still work?
  • Have any services changed their 2FA settings?
  • Have I skipped any QR code or recovery steps by mistake?

This exercise helped me catch expired recovery codes, outdated contact info, and even an instance where I had forgotten to save the 2FA key during setup. Fixing it in advance is way easier than scrambling after something goes wrong.

Manage SMS-based 2FA carefully

Check if a service supports switching to TOTP

Gemini integration in Google Messages

Some services still rely on SMS-based 2FA, which is less secure and more prone to hijacking. SIM-swapping attacks are a real threat, especially to high-value accounts.

Whenever possible, I switch to app-based TOTP. When that’s not an option, I take the following precautions:

  • Keep my phone number registered to a physical SIM on a secure carrier.
  • Never share my number publicly.
  • Set a PIN on my mobile account to prevent unauthorized porting.
  • Add a note to my backup file indicating that a given account uses SMS for 2FA.

It lets me track which accounts are more vulnerable and reminds me to update them as better options become available.

Set up an emergency kit for loved ones

Prepare for emergencies

An illustration of a phone with a password field in view surrounded by red flowers

As a final safety measure, I’ve prepared an emergency kit for trusted family members. It includes the master password for my password manager, Aegis backup password, instructions for restoring 2FA, and recovery codes for accounts like email, bank, and cloud storage.

I’ve printed the document, sealed it in an envelope, and stored it in a fireproof safe. If something were to happen to me, they would be able to access my accounts without any stress.

Animated person with question mark above head holding phone with large blue recover account button beneath them

Back up your 2FA codes to prevent getting locked out of your accounts

Backing up your 2FA codes is essential for safeguarding your accounts. Choosing the right authenticator app, saving your keys, storing recovery codes, and building redundancy can help you enjoy the security of 2FA without the fear of losing access. I’ve learned that 2FA isn’t something you set and forget. It’s part of a digital hygiene routine. Even if my phone gets stolen, factory reset, or bricked, I can recover everything I need. That peace of mind is worth far more than the time I spent setting it up.