Backup codes and recovery keys are awkward by design. They are powerful enough to get you back into an account, which means they are also valuable to anyone trying to take that account.
The goal is not perfect secrecy. The goal is a storage setup that is hard to steal, hard to lose, and usable when your normal device is gone.
The short version
For most freelancers, solo founders, and developer-consultants, ordinary account backup codes can live in a password manager. The exception is recovery material for the password manager itself, primary email, and domain registrar. Those deserve a second path outside the vault.
A practical baseline is to keep routine codes in the password manager, print or otherwise offline-store the highest-impact recovery material, avoid screenshots and unencrypted notes, and keep a short recovery map that explains where everything is. Higher-risk people may need stronger separation, hardware keys, safe deposit boxes, or trusted-person procedures.
Know what type of secret you are storing
Not all recovery material has the same risk.
| Secret type | What it does |
|---|---|
| MFA backup codes | One-time or limited-use codes that can bypass an MFA prompt. |
| Account recovery keys | Longer secrets used to recover an account or password-manager vault. |
| Device recovery keys | Keys that unlock encrypted laptops, drives, or operating-system accounts. |
| Emergency instructions | Notes that explain where recovery material is stored and what order to use it in. |
The highest-impact recovery material is usually tied to primary email, password manager, domain registrar, DNS, cloud storage, source-code hosting, and payment accounts.
Option 1: Store codes in a password manager
This is convenient and often reasonable for ordinary accounts. Password managers are easy to update, searchable, encrypted, available across devices, and less likely to be physically lost than a loose sheet of paper.
The weakness is concentration. If the password manager is the account you are trying to recover, or if it contains passwords, TOTP seeds, and backup codes for the same accounts, it can become a single point of failure. It may also be unavailable if you lose all trusted devices at once.
A practical rule: use the password manager for most low and medium-impact accounts, but do not make it the only place where password-manager recovery, primary-email recovery, or domain-registrar recovery lives.
Option 2: Printed recovery material
Printed recovery codes feel old-fashioned. That is part of why they work. They cannot be remotely hacked, they still work when your laptop and phone are gone, and they can live in a safe, lockbox, or sealed envelope away from cloud accounts and password-manager access.
The tradeoff is physical handling. Paper can be stolen, photographed, damaged, thrown away, or forgotten. It can also become stale when codes rotate, and it may be hard to reach while travelling.
Use printed recovery material for accounts that recover everything else: primary email, password manager, domain registrar, and maybe core cloud storage.
Option 3: Encrypted file
An encrypted file can work well if it is stored separately from the accounts it recovers. It is easy to duplicate, can include longer instructions, can be backed up, and is useful for recovery maps and emergency procedures.
The decryption password or key becomes its own recovery problem, though. It is also easy to accidentally store the file next to the thing it recovers, use a tool or file format that becomes stale, or leave it on a compromised device where it can be copied silently.
Use this only if you are confident you can still decrypt it during a real outage.
Option 4: Trusted-person or sealed emergency access
Some solo operators need another human in the recovery path. That might be a cofounder, spouse, lawyer, accountant, or trusted technical partner.
This can help if you are unavailable, reduce dependency on one device and one memory, and improve business continuity. It also requires real trust, clear instructions, and periodic review. For sensitive accounts, it raises privacy and governance questions that should be decided deliberately rather than improvised during an emergency.
This is more relevant for solo founders with customers, revenue, or domains that should survive if they are unavailable.
A practical storage pattern
Here is a simple setup for many solo technical operators:
| Place | Good use | Avoid using it as |
|---|---|---|
| Password manager | Backup codes for ordinary SaaS accounts, notes about which accounts exist | The only place where password-manager recovery material lives |
| Printed recovery envelope | Password manager recovery key, primary email backup codes, domain registrar backup codes, short recovery order | A full password list |
| Separate encrypted file | Account inventory, support URLs, notes about DNS, hosting, and cloud backups | A file stored only on the laptop you may lose |
The goal is separation. If your password manager is unavailable, the printed recovery envelope should help you recover it. If your laptop is gone, the envelope and another device should still help. If your primary email is locked, your domain and password manager recovery should not depend only on that same email.
What not to do
Avoid recovery systems that only work while everything else is already working. Screenshots in a phone photo roll, codes stored in the same email account they recover, a plain text file on your desktop, or a chat message to yourself are all fragile patterns.
The same applies to unlabelled paper you will not recognize later and a single phone that acts as password manager, authenticator, passkey device, and only recovery device. These patterns feel convenient until the exact moment you need recovery.
Common tradeoff: password manager vs paper
There is no universal answer. The right choice depends on the account.
Use the password manager when:
- the account is not business-critical
- the code changes often
- losing the paper copy is more likely than vault compromise
- you have strong MFA on the password manager itself
Use paper or offline storage when:
- the account recovers your password manager
- the account controls email, domain, DNS, or payments
- you need access during a device loss
- you want recovery material outside the digital blast radius
For the most critical accounts, use both: convenient reference in a controlled digital system and an offline recovery path.
Example storage tiers
One useful way to think about recovery material is by tier.
| Tier | Examples | Storage approach |
|---|---|---|
| Tier 1: controls everything else | Primary email, password manager, domain registrar, DNS provider | Keep recovery material outside the normal digital blast radius. |
| Tier 2: important business operations | Code hosting, cloud storage, payment processor, invoicing, client workspaces | Password manager storage may be fine, but document the recovery path. |
| Tier 3: lower-impact accounts | Newsletters, learning platforms, trial tools, low-risk SaaS accounts | Unique passwords and routine backup-code storage are usually enough. |
Tier 1 recovery material deserves offline or separately encrypted backup. Tier 2 can often live in a password manager plus a documented recovery path. Tier 3 usually does not need elaborate treatment.
This tiering prevents two bad outcomes: under-protecting the accounts that matter and over-engineering recovery for accounts that do not.
Review schedule
Review recovery material when:
- you replace your phone
- you change password managers
- you change email providers
- you move domain registrars
- you add passkeys or hardware security keys
- you rotate backup codes
- you add or remove a business partner
Stale backup codes are worse than no plan because they create false confidence.
Good next step
Pick three accounts: primary email, password manager, and domain registrar. Confirm where their recovery material is stored and whether you can access it without your main laptop.
Related guides:
- Solo Founder Account Recovery Plan
- How To Avoid Account Lockout When Using MFA
- Freelancer Account Security Checklist