> Not on any third party system, where you're locked out forever if you lose your second factor.
Every two-factor system I've ever seen is actually two-of-three, with an account recovery code that you save elsewhere.
I lost all my two-factor auths when my phone got wrecked, it was annoying to reestablish access to those accounts (and I now use a TOTP client which backs the tokesn up), but it was tedious rather than difficult.
> and I now use a TOTP client which backs the tokens up
What are some good options for this? I think my ideal solution would export an encrypted file, a bit like KeePass does on the desktop, but I don't know of many mobile apps for that.
It has two security levels: normal-level security codes will unlock when the phone is unlocked, high-level security codes require a separate unlock to get the code. The former back up to iCloud (E2E encrypted), the latter don't back up.
The recovery codes I've seen tend to have been 10 8-digit sequences.
If you don't have a printer and care about recovery codes, those are easy enough to transfer manually onto dead-tree material using a stylus-like handheld device that deposits graphite or ink onto the surface it touches.
When I know it's important to decipher something later, I have a 100% accurate decoding rate on my own handwriting, so that's not a problem. It's not hard to write clearly and carefully. In addition, they give you ten codes to use, so you'd need to make indecipherable errors in all of them. Also, having a safe place to store documents is table stakes for adulthood.
I would hope that when a software dev sees a widget that says "these are your recovery codes, write them down or copy them to a secure location or you may lose access to your account", they do exactly that.
Except for codes which protect my money (which go onto paper, which goes in a safe), I put them in a password vault. TOTP offers protection against getting shoulder-surfed, key logged, or phished, it isn't much protection if Mallory gets access to my entire password vault. YMMV.
> I would hope that when a software dev sees a widget that says "these are your recovery codes, write them down or copy them to a secure location or you may lose access to your account", they do exactly that.
Yes software developers are known for never making any mistake.
Every two-factor system I've ever seen is actually two-of-three, with an account recovery code that you save elsewhere.
I lost all my two-factor auths when my phone got wrecked, it was annoying to reestablish access to those accounts (and I now use a TOTP client which backs the tokesn up), but it was tedious rather than difficult.