Two-factor authentication via SMS, which can be intercepted, can be a less-than-ideal security measure. Yet, some systems, such as banks, don’t support interaction with apps like Authy or Google Authenticator and insist on sending 2FA codes via SMS. For the more security-minded, this isn’t really a good option.

Fortunately, some services offer 2FA backup codes that can be used instead. Google is one such service. When you set up 2FA for Google, you are given the option to generate backup codes. You can use these codes instead of SMS 2FA. These backup codes work, and when you run out, you can always generate more. Here’s how.

Note: If you have joined Google’s Advanced Protection Program or use security keys with your account, you may not be able to generate backup codes.

Jump to:

How to retrieve those codes

If you didn’t print out your backup codes upon setting up 2FA, the first thing you need to do is retrieve them. To do that, you must:

  1. Log in to your Google account.
  2. Select 2-Step Verification from the Security menu; you may be prompted to log in once again.
  3. If you haven’t set up backup codes for your account, from the Security menu, select Backup codes from the How you sign in to Google section (Figure A, left).
  4. Otherwise, you may access the backup codes in the 2-Step Verification section (Figure A, right).

Figure A

Either configure backup codes for the first time (left) or access existing backup codes.
Either configure backup codes for the first time (left) or access existing backup codes (right).

Once created, you may display your backup codes. You can then download them as a .txt file or print them directly. The list will also show you only those codes you have not used, as the rest will be listed as ALREADY USED.

SEE: Explore TechRepublic Premium’s password management policy.

Word of caution

For those that opt to download the .txt file, I suggest you encrypt that file. Don’t leave it hanging around, unprotected, on your local drive for prying eyes to sneak a peek. Also included in that file is your Gmail address associated with the account. I highly recommend you delete that line in the file on the off-chance someone does stumble upon the file and manages to open it.

The last thing you want is to make it easy for a bad actor to put two-and-two together and realize those codes are associated with that address. There is also a line that looks like this:

Need more? Visit https://g.co/2sv

I recommend deleting that line, as it could give away the secret of what those codes are for. Once you’ve deleted those lines, save and close the file. Encrypt it, and your codes are less likely to be seen by prying eyes.

How to generate new codes

In that same area where your backup codes appear, you’ll see a circle with an arrow (Figure B). Click that, and new backup codes will be generated.

Figure B

You may print, download or generate new backup codes as indicated by the red box.
You may print, download or generate new backup codes as indicated by the red box.

Here’s a tip: Only use nine of those codes, and consider the 10th your key to get more codes. This is especially true if you opt to not use a mobile app for Google 2FA. You don’t want to find yourself without that one last key, so you can log in and generate more.

Not a perfect solution

2FA is not a perfect solution. But if you can avoid using sites and services that send 2FA codes via SMS — and if those sites in question start supporting mobile 2FA apps — you’ll be less likely to have your codes stolen and used against you. Even so, you might consider only using these Google codes for 2FA authentication. Use them wisely, and understand that when it comes to security, nothing is ever 100%.

Still not sure about using 2FA codes? Try out these authenticator apps:

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays