Hey folks! I'm looking to see how everyone manages their 2FA secret keys. I've been enabling 2FA on all my accounts, but I often just copy these "secret keys" into various notes or websites, sometimes even skipping them altogether. Now I'm realizing that if I lose my phone, I'm in big trouble! How do you all handle your 2FA keys? Do you just save them in random places, or do you use a password manager or something else? I'd love to hear your strategies!
9 Answers
I think the best way to handle those secret keys is to print them out and keep them in a safe place. Honestly, it's simple and effective!
I've taken a rather extreme route—I've tattooed my keys on my body, just like that guy in Memento! Just kidding, but I do keep them pretty secure.
I rely on a Yubikey for extra security!
Does Yubikey have an option for secure note storage? Just curious because recovery keys are a separate thing, and I definitely wouldn’t store them with the same device I'm using for MFA.
I stick with Keepass for all my sensitive info. Works great for me!
I’ve chiselled my secrets into hardened lava from a volcano... just kidding! I store them in my password manager too.
I keep all my backup codes and 2FA secret keys in a dedicated Bitwarden vault. At just $10 a year, it’s a small price to pay for peace of mind. I use 1Password for my general password management.
This is definitely the best approach! A password manager is a secure way to store everything, just make sure it’s separate from your current MFA.
I'm all in with 1Password for managing my passwords, including 2FA keys.
For my most crucial accounts, I use Yubikeys for authentication. As for recovery codes, I save them in a GPG-encrypted file in the cloud. For TOTP seeds, I just let Microsoft Authenticator back them up automatically, though I'm not totally sure how reliable that is.
Nice! I think I'll need to invest in a Yubikey for extra security.
I store my secrets in the notes section of my password manager. That way, if I ever need to retrieve them, they're all in one place. For any really important accounts, I just keep a backup document stored securely on my server.
Got it! So a password manager is your go-to for these keys. Sounds like a solid plan!
Agreed! But where exactly do you keep them? Right now, I have mine scattered across Discord, my phone notes, and WhatsApp. Seems risky!