A time-based one-time password (TOTP) is a login option provided by many of today's websites and services that can greatly increase the security of your accounts. However, if you don't properly store the secret associated with a TOTP token, you may one day find yourself unable to access the TOTP codes, or worse, your account may not be as secure as you think it is.
This article demonstrates a method for safely storing and restoring TOTP tokens.
Before we begin, here are links you'll want to reference later:
Note: these links should be only opened in a private/incognito browser window, and disconnect your computer from the Internet before using them, and close the private/incognito browser window before re-connecting to the Internet
When activating a TOTP for a website, you are presented with a QR code that looks something like this:
You then use a smart phone app (we'll assume you're using the Google Authenticator app on iOS or Android) to scan the QR code. From then on, the app provides secondary login passwords for that site. The QR code contains a unique secret for your account. If anyone else ever has access to the secret, they can freely generate those same secondary passwords for your account.
Therefore, to keep your account safe, you should not store that QR code on your computer, or take a picture of it with your phone, and you shouldn't even store it inside your password manager. So what should you do with it?
To safely store the TOTP secrets, the most straightforward and secure option is paper.
Paper can't be stolen by hackers. Paper can't be scrambled by ransomware. And I don't mean printed sheets of paper (printers are notoriously insecure).
For the actual paper and pen to use, the idea is to be safe, not sorry. Gel pens generally have long-lasting, waterproof ink, so they're your best bet for this type of thing. I prefer a Uni-ball Signo 307, but a Pilot G2 will work too. If you don't have access to a gel pen a ballpoint will work just fine.
For the paper I like to use index cards, and these archival quality cards are ideal but any cards or paper you have on hand will work.
Now let's get started. Here are the steps we're going to follow:
When you first enable the 2nd factor TOTP authentication on a site, the site will show a QR code. Use the Authenticator app to scan the QR code. The site will then ask you to enter a TOTP passcode to ensure everything's working.
Here we can see we've used the QR code to add an entry in Google Authenticator for our example site:
Now that we've got our TOTP entry for the site loaded into the Authenticator app, we need to write a copy of it on paper for safe keeping.
Alongside the second factor authentication QR code, the site may also show a "manual code" which will be a jumble of letters and numbers.
If it does show the "manual code" thing, a jumble of gibberish text, go directly to the Manual Code: Write the Secret to an Index Card step.
If it does not show the "manual code," and instead just shows the QR code, take a screenshot of it and save that to your desktop. Instead of a screenshot, you may be able to just drag the QR code image from the browser window to your desktop. If possible, your image should contain just the QR code with some white border area around it, something like this:
Next we need to convert the QR code to text so that we can actually write it down.
The page will show the data inside the QR code, and it will look something like
otpauth://totp/example.com:username?secret=ABCD1234ABCD1234&issuer=Example
or similar.
otpauth://...
string of text to your computer's clipboardOn the private/incognito "QR Code Generator" tab, paste the otpauth://...
string you copied into the "enter QR code data here" field:
Use your Authenticator app to load the QR code displayed. If the Authenticator app shows both the original entry for the site and this duplicate one are generating the same passcodes, you successfully have extracted the secret data!
We've verified this QR code generates the same passcodes as the original entry:
Now we need to write it to paper.
Grab an index card and a pen, and write down these items:
otpauth://...
stringHere's an example card:
We'll now use that 8 character SHA-256 string to verify the information you just wrote to the card.
otpauth://...
string from your card to create a QR codeNow that you've written the QR code secret to a card, and checked your work, you can go on to the Cleanup step.
If the site gives you a "manual code" grab an index card and write down these items:
Now that you've written the second factor secret, we should verify it's been written down correctly.
I keep all my index cards with TOTP secret in a stack, with a blank cover sheet, clipped with a binder clip. And I keep them inside a plastic bag for extra water protection.
Why a cover sheet? Why a plastic bag? Because the name of the game is to keep your accounts safe and secure! Treat the cards like cash or other valuables to keep them safe.
Say you have a few sites' TOTP login secrets written down on index cards, and you lose your phone. Or however it happens, you find your Google Authenticator app is empty! How can you regain access to these sites?
For sites where you wrote down a otpauth://...
secret, not a manual code:
otpauth://...
string from your card into the "QR Code Generator" tab to create a QR codeFor sites where you did write down a manual code:
It's best to practice these steps a few times whenever you add TOTP authentication to a site. Once you've got the system working, you can consider disabling TOTP login for your existing sites, one at a time, then re-enabling their TOTP logins while storing the secrets to paper.
I personally don't like to use the "manual code" option even if a site displays that. I prefer to write down the full QR code data because I can easily check for typos using the SHA-256 hash of the data.
For writing the TOTP secrets I prefer to use Uni-ball Signo 307 pens and archival quality index cards. (These links are Amazon affiliate links, and by clicking them and purchasing those products you'll support this site.)