Every time you set up two-factor authentication on an important account, you’re shown a list of backup codes — usually eight to ten alphanumeric strings — with a message along the lines of “store these somewhere safe, you’ll need them if you lose access to your authenticator.” Then, for most people, one of two things happens: the codes get screenshotted and forgotten, or the setup is abandoned entirely because the prompt felt like a chore.
Both outcomes defeat the purpose. Backup codes exist specifically for the moment your normal 2FA method — your phone, your authenticator app — isn’t available. If the codes are buried in a screenshot you can’t find or never saved at all, you’ve built a security feature with no actual recovery path, which is arguably worse than not having 2FA in the first place.
What Backup Codes Are Actually For
It’s worth being precise about the job these codes do, because that determines where they should live. Backup codes are a recovery mechanism for one specific scenario: you’ve lost access to your primary 2FA method — phone lost, stolen, or wiped; authenticator app reinstalled without transferring accounts — and you need to get back into an account without it.
They are explicitly not meant to be used as a substitute for your regular 2FA method out of convenience. Each code is typically single-use, and using one as a shortcut just means you have fewer left for the emergency they’re actually intended for.
Why a Screenshot Is the Wrong Answer
Screenshotting backup codes feels efficient — it takes ten seconds, and the codes are right there in your photo gallery whenever you need them. But this is exactly the failure mode worth avoiding, for a few concrete reasons:
Your camera roll syncs to the cloud, often automatically. A screenshot of backup codes for your email account gets backed up to whatever photo service is connected to your phone — which means the codes now live in two places (your phone and the cloud), each with its own security profile, neither of which you specifically chose for this purpose.
It’s mixed in with everything else, including AI-indexed content. Cloud photo services increasingly run AI-powered search and content analysis across your library, including screenshots. A screenshot of backup codes for your bank account sitting in the same pool of content that’s being scanned for “show me photos of the beach” isn’t a targeted security risk by itself, but it’s an unnecessary one — there’s no reason recovery codes for a sensitive account should be subject to the same processing as a vacation photo.
If your phone is lost or compromised, the screenshot goes with it. Backup codes exist for the scenario where you’ve lost your primary 2FA device. If the backup codes are stored as a photo on that same device, you’ve created a single point of failure for the exact recovery mechanism meant to protect you when a device is lost.
The Actual Options, Ranked by What They’re Good For
Paper, stored physically separate from your devices
For your highest-stakes accounts — primary email, your password manager itself — printed or handwritten backup codes kept in a physical location (a drawer, a safe, a fireproof box) have a real advantage: they can’t be accessed remotely. No malware, no cloud breach, no account compromise touches a piece of paper in your home.
The tradeoff is durability and accessibility — paper can be lost, damaged, or simply forgotten about, and it’s not useful if you need account access while traveling and the paper is at home. For accounts where losing access entirely would be catastrophic, a second copy in a separate physical location (or with a trusted family member) is a reasonable hedge.
A password manager’s secure notes or attachments
Most password managers support storing backup codes as a note or attachment alongside the account’s main password entry. This is convenient — codes and password live together, and the password manager’s own encryption protects both — but it concentrates risk: if your password manager’s master password or vault is compromised, an attacker gets the password and the backup codes for everything in one place.
This is a reasonable choice for most accounts, with one important caveat: make sure the password manager itself has strong, unique account security (a strong master password and its own 2FA), since it’s now protecting the keys to the keys.
An encrypted document vault, separate from your password manager
Storing backup codes as a text file or scanned document in an encrypted storage vault — separate from both your camera roll and your password manager — splits the risk: even if one system is compromised, the other isn’t automatically exposed too. This is a reasonable middle ground for codes you want accessible from any device (unlike paper) without concentrating them in the exact same vault as the passwords they’re meant to recover (unlike a password manager’s built-in notes).
The key requirement is that the vault is encrypted, genuinely separate from your general photo and file backups, and not something that gets swept into AI-indexed search alongside unrelated content.
What to avoid regardless of which option you choose
- Email drafts or sent folders (“emailing myself the codes”) — email accounts are themselves a common target, and if email is compromised, codes meant to protect other accounts are sitting right there too
- Plain notes apps with cloud sync and no specific encryption — convenient, but typically no more protected than the camera roll problem they’re meant to solve
- A single copy with no backup — losing your one copy of backup codes means going through a (usually slower, more painful) account recovery process instead
A Mistake Worth Calling Out Specifically: Storing Codes Right Next to the QR Setup Screenshot
There’s a specific habit that compounds the screenshot problem rather than just repeating it: screenshotting the entire 2FA setup screen, QR code and backup codes together, in one image. This is common because it’s the screen you’re already looking at during setup, and capturing all of it in one shot feels efficient.
The trouble is that this single screenshot now contains everything needed to fully clone that account’s 2FA setup — not just the recovery codes, but in some cases the seed information used to generate ongoing authentication codes. One image, sitting in a synced camera roll, becomes a more complete compromise than either the password or the backup codes alone would be.
If you’ve done this in the past, it’s worth a specific search through your screenshots — not just a general cleanup — for QR codes and the words “backup codes” or “recovery codes” near them, since these are easy to overlook in a casual scroll but represent some of the highest-value targets in an otherwise low-stakes photo library.
Testing That Your Backup Codes Actually Work
A backup code strategy that’s never been tested has an uncomfortable failure mode: you don’t find out it’s broken until the moment you actually need it, which is also the worst possible time to discover a problem.
Most services let you regenerate backup codes at will, which means you can periodically verify your storage approach without burning through your only set. A reasonable habit: once or twice a year, confirm you can actually locate and read your stored backup codes for your two or three most important accounts — email, password manager, primary cloud storage — without needing to dig through old messages or guess where you put them. If you can’t find them in under a minute, the storage approach needs fixing before you actually need it under pressure.
This is the same logic that applies to data backups generally: an untested backup is a hypothesis, not a guarantee. Backup codes deserve the same scrutiny.
A Practical Setup Worth Adopting
For most people, a reasonable approach looks like this: high-stakes accounts (primary email, password manager) get a printed copy stored physically, separate from devices. Everything else goes into an encrypted document vault, kept distinct from your regular camera roll and photo backups specifically so the codes aren’t mixed into AI-searchable photo content.
Whichever combination you choose, the codes should live somewhere you’d actually be able to find and use during the scenario they exist for — locked out, on possibly an unfamiliar device, needing access fast. A backup system that’s too elaborate to actually use under stress isn’t meaningfully better than the screenshot it’s replacing.
How daftei Fits Into This
daftei isn’t a password manager, and it’s not trying to be one — it’s a private, encrypted vault for documents, photos, and voice notes, with AES-256 encryption at rest and TLS 1.3 in transit. That makes it a reasonable place to store a scanned or photographed copy of printed backup codes, or a text document listing them, as the “separate from your password manager” leg of a backup-codes strategy — kept apart from both your camera roll (where it’d get mixed into general photo content) and your password manager (where it’d be concentrated with the passwords it’s meant to recover).
It won’t autofill codes into a login form the way a password manager does, and it’s not designed to. What it offers is a private, deliberate place to keep the kind of sensitive document you don’t want sitting in a screenshots folder — which, for backup codes, is most of what actually matters.