How to Store 2nd-Factor TOTP QR Codes

A time-based one-time password (TOTP) is a login option provided by many of today's websites and services that can greatly increase the security of your accounts. However, if you don't properly store the secret associated with a TOTP token, you may one day find yourself unable to access the TOTP codes, or worse, your account may not be as secure as you think it is.

This article demonstrates a method for safely storing and restoring TOTP tokens.

Before we begin, here are links you'll want to reference later:

Note: these links should be only opened in a private/incognito browser window, and disconnect your computer from the Internet before using them, and close the private/incognito browser window before re-connecting to the Internet

When activating a TOTP for a website, you are presented with a QR code that looks something like this:

You then use a smart phone app (we'll assume you're using the Google Authenticator app on iOS or Android) to scan the QR code. From then on, the app provides secondary login passwords for that site. The QR code contains a unique secret for your account. If anyone else ever has access to the secret, they can freely generate those same secondary passwords for your account.

Therefore, to keep your account safe, you should not store that QR code on your computer, or take a picture of it with your phone, and you shouldn't even store it inside your password manager. So what should you do with it?

To safely store the TOTP secrets, the most straightforward and secure option is paper.

Paper can't be stolen by hackers. Paper can't be scrambled by ransomware. And I don't mean printed sheets of paper (printers are notoriously insecure).

For the actual paper and pen to use, the idea is to be safe, not sorry. Gel pens generally have long-lasting, waterproof ink, so they're your best bet for this type of thing. I prefer a Uni-ball Signo 307, but a Pilot G2 will work too. If you don't have access to a gel pen a ballpoint will work just fine.

For the paper I like to use index cards, and these archival quality cards are ideal but any cards or paper you have on hand will work.

Now let's get started. Here are the steps we're going to follow:

Loading a New Site Into Authenticator

When you first enable the 2nd factor TOTP authentication on a site, the site will show a QR code. Use the Authenticator app to scan the QR code. The site will then ask you to enter a TOTP passcode to ensure everything's working.

Here we can see we've used the QR code to add an entry in Google Authenticator for our example site:

Now that we've got our TOTP entry for the site loaded into the Authenticator app, we need to write a copy of it on paper for safe keeping.

Alongside the second factor authentication QR code, the site may also show a "manual code" which will be a jumble of letters and numbers.

If it does show the "manual code" thing, a jumble of gibberish text, go directly to the Manual Code: Write the Secret to an Index Card step.

If it does not show the "manual code," and instead just shows the QR code, take a screenshot of it and save that to your desktop. Instead of a screenshot, you may be able to just drag the QR code image from the browser window to your desktop. If possible, your image should contain just the QR code with some white border area around it, something like this:

QR Code: Extract the Secret

Next we need to convert the QR code to text so that we can actually write it down.

  1. Open webqr.com in a private/incognito browser window
  2. In another tab in that private/incognito browser window, open my QR Code Generator page.
  3. After those pages are loaded, disconnect your Internet connection. Seriously. Turn off your computer's WiFi or unplug your computer's Internet cable. With the Internet disconnected you can still use those pages, but you can be more reassured that your secret QR code data is going to remain private.
  4. On the webqr.com page, click the right-hand camera icon (📷), and drag your screenshot or image containing the QR code to the file drop area on the page. The page will then show you the data it reads from the QR code. It will look something like this:

The page will show the data inside the QR code, and it will look something like

otpauth://totp/example.com:username?secret=ABCD1234ABCD1234&issuer=Example

or similar.

QR Code: Check Your Work

  1. Select and copy that entire otpauth://... string of text to your computer's clipboard
  2. On the private/incognito "QR Code Generator" tab, paste the otpauth://... string you copied into the "enter QR code data here" field:

  3. Use your Authenticator app to load the QR code displayed. If the Authenticator app shows both the original entry for the site and this duplicate one are generating the same passcodes, you successfully have extracted the secret data!

We've verified this QR code generates the same passcodes as the original entry:

Now we need to write it to paper.

QR Code: Write the Secret to an Index Card

Grab an index card and a pen, and write down these items:

  1. The website or service name
  2. The entire otpauth://... string
  3. The 8 characters of the SHA-256 shown on the "QR Code Generator" tab

Here's an example card:

QR Code: Triple Check with a Hash

We'll now use that 8 character SHA-256 string to verify the information you just wrote to the card.

  1. On the "QR Code Generator" page, write the entire otpauth://... string from your card to create a QR code
  2. Check that the 8 character SHA-256 string matches the one written on your card. If those 8 characters don't match, you wrote or typed something incorrectly

Now that you've written the QR code secret to a card, and checked your work, you can go on to the Cleanup step.

Manual Code: Write the Secret to an Index Card

If the site gives you a "manual code" grab an index card and write down these items:

  1. Write the website or service name
  2. Write the username or email address you use to log into the website or service
  3. Write the secret code (take your time!)
  4. Double-check the secret code that you wrote

Manual Code: Check Your Work

Now that you've written the second factor secret, we should verify it's been written down correctly.

  1. In the Authenticator app, click the "+" button and choose "Manual entry"
  2. Using just the information you wrote on the card, fill out the "Account" and "Key" fields
  3. Create the entry in the Authenticator app, and make sure it's generating the same numeric passcodes the original entry is generating.

Cleanup

  1. Select any word on this page and copy it. This overwrites your clipboard to erase the secret that may still be there.
  2. Delete any screenshots or images you created that have the QR code or secret data. This step is critical!
  3. Delete any duplicate entries in the Authenticator app you created for verification.
  4. Close the private/incognito window
  5. Re-enable your Internet connection

Keep it Safe

I keep all my index cards with TOTP secret in a stack, with a blank cover sheet, clipped with a binder clip. And I keep them inside a plastic bag for extra water protection.

Why a cover sheet? Why a plastic bag? Because the name of the game is to keep your accounts safe and secure! Treat the cards like cash or other valuables to keep them safe.

How to Restore TOTP Entries

Say you have a few sites' TOTP login secrets written down on index cards, and you lose your phone. Or however it happens, you find your Google Authenticator app is empty! How can you regain access to these sites?

For sites where you wrote down a otpauth://... secret, not a manual code:

  1. Open my QR Code Generator page in a private/incognito browser window
  2. Disconnect your Internet (turn off WiFi or unplug the Internet cable from your computer)
  3. Write the entire otpauth://... string from your card into the "QR Code Generator" tab to create a QR code
  4. Check that the 8 character SHA-256 string matches the one written on your card. If those 8 characters don't match, you typed something incorrectly into the page
  5. Scan the QR code with the Google Authenticator app — you have now restored your access to the site's TOTP passcodes!
  6. Close the private/incognito window
  7. Reconnect to the Internet

For sites where you did write down a manual code:

  1. In the Authenticator app, click the "+" button and choose "Manual entry"
  2. Using the information you wrote on the card, fill out the "Account" and "Key" fields — you have now restored your access to the site's TOTP passcodes!

Recommendations

It's best to practice these steps a few times whenever you add TOTP authentication to a site. Once you've got the system working, you can consider disabling TOTP login for your existing sites, one at a time, then re-enabling their TOTP logins while storing the secrets to paper.

I personally don't like to use the "manual code" option even if a site displays that. I prefer to write down the full QR code data because I can easily check for typos using the SHA-256 hash of the data.

For writing the TOTP secrets I prefer to use Uni-ball Signo 307 pens and archival quality index cards. (These links are Amazon affiliate links, and by clicking them and purchasing those products you'll support this site.)