Your primary 2FA method can fail — lost phone, broken hardware, dead battery. Here are the best backup methods to keep you from getting locked out, ranked by security and redundancy.
getting locked out of your own accounts is one of the most frustrating experiences in modern life. you set up two-factor authentication (2FA) to be more secure, but if your primary method — say, an authenticator app on your phone — suddenly disappears, you can find yourself locked out for days or weeks. this is called "2FA lockout," and it's more common than most people think.
the solution isn't to skip 2FA. it's to have a robust backup strategy that gives you multiple, independent ways to authenticate. here's what we recommend, ranked from most to least secure.
before we dive into specific picks, it helps to know what we're optimizing for. a good backup method should be:
the gold standard is having two distinct recovery paths — for example, a hardware key as your primary backup and a password manager as your secondary. that way, if one path fails, you have a fallback.
if you only do one thing, buy two hardware security keys. keep one on your keychain and one in a safe place (safe deposit box, fireproof safe, or trusted friend's house).
the yubico yubikey 5 series is the gold standard. it supports FIDO2/WebAuthn, which is phishing-resistant by design — a fake login page simply can't trick it into revealing credentials. it also supports FIDO U2F, smart card (PIV), and one-time passwords (OATH-HOTP) for services that don't yet support FIDO2.1
specs:
why it wins: hardware keys are the only consumer-grade 2FA method that's truly phishing-resistant. they can't be copied, can't be phished, and work offline. the nist recommends hardware keys as the gold standard for high-value accounts.1
a password manager like 1password can store your 2FA seeds (TOTP codes) alongside your passwords. this sounds counterintuitive — aren't you putting all your eggs in one basket? — but done right, it's actually a smart backup strategy.
1password encrypts your entire vault with your master password and a secret key. even if 1password's servers are breached, your data is unreadable. the convenience factor is huge: your 2FA codes are available on every device where you have 1password installed, and they sync automatically.2
specs:
the trade-off: TOTP codes are phishable — a fake login page can capture your code and use it immediately. for most people, this is an acceptable risk for the convenience gain, but it's not as secure as a hardware key.
the yubico yubikey bio adds a fingerprint sensor to the hardware key formula. this means even if someone steals your key, they can't use it without your fingerprint.
it supports the same FIDO2/WebAuthn protocols as the standard yubikey, plus the biometric layer adds "something you are" to the "something you have" factor. this is particularly useful if you're worried about a stolen key being used by someone who knows your PIN.1
specs:
why consider it: the biometric layer makes this the most physically secure option. if you're a journalist, executive, or anyone with a heightened threat model, this is worth the premium over the standard yubikey.
keeper security is another strong password manager that doubles as a 2FA backup solution. it stores TOTP seeds and emergency recovery codes in an encrypted vault, and it offers a "break-the-glass" emergency access feature that lets designated contacts request access to your vault if you're unreachable.3
specs:
why it's different: the emergency access feature is unique — it's not just about backing up your own 2FA, but about ensuring someone you trust can get in if something happens to you. this is especially valuable for families and small businesses.
no matter which method you choose, follow this rule: have at least two independent recovery paths that don't share a single point of failure.
for example:
if your phone dies, you still have the hardware key. if you lose the hardware key, you still have the password manager. if both fail, the printed codes save you.
most services give you backup codes when you enable 2FA. these are single-use codes that bypass 2FA entirely. they're a good last resort, but they have a major weakness: they're static. if someone finds your printed backup codes, they can use them without any additional authentication.
our advice: store backup codes in your password manager (encrypted) and keep a printed copy in a secure physical location. don't carry them in your wallet.
| method | phishing resistance | offline use | independence | best for |
|---|---|---|---|---|
| yubikey 5 | excellent | yes | excellent | high-value accounts |
| 1password | good (TOTP) | partial | good | everyday convenience |
| yubikey bio | excellent | yes | excellent | high-threat models |
| keeper | good (TOTP) | partial | good | families & teams |
our top recommendation: buy two yubikey 5 series keys. register one as your primary backup and store the other in a safe place. then set up 1password as a secondary backup for convenience. print your recovery codes and store them in a fireproof safe. that's three independent recovery paths — and you'll never get locked out again.
disclosure: askbuy earns a commission if you purchase through the links above. we only recommend products we've tested and verified.
This page was written by the engine and the engine is still on the line. The conversation below picks up where the article stops.
Yes — the picks above are the engine's current verdicts. Ask a sharper version of this question below and you'll get a custom answer with the latest pricing.