A lot of people treat printable recovery codes as something that should be protected, locked in a safe, etc. As a result they don't bother to use them as it seems like too much effort to secure them.
Please do not treat them this way. They do not grant access to your account. Print many copies of your recovery codes and spread them around. Wallet, home, car, parents' house, etc. It doesn't matter if they get stolen or whatever, again they don't grant access to your account, and they can be revoked at any time.
I know that educating people about this is not a scalable solution to the problem of people getting locked out of their accounts. But maybe it could help you, reader of this comment, if you someday need recovery codes.
I think it’s because of the copy that usually comes with these codes. It usually reads something like “COPY DOWN THESE CODES AND KEEP THEM IN A SAFE PLACE.” Which doesn’t come off as “look, you’ll still need your password”
No security system is absolute, and treating all threats as equally possible leads to terrible security decisions like not using printed recovery codes for fear of them getting stolen. You must pick a threat model before you can evaluate the security of a system.
Treating printed paper codes as "widely known" and effectively useless simply because they could theoretically be stolen is silly. In a reasonable threat model for almost all people, the intersection of the set of threats that might get access to printed paper codes and the set of threats that might hack/phish your password is very small. The vast majority of threats are still protected against, while the very real possibility of being locked out of your account is drastically reduced. It's a good trade for almost everyone.
I don't disagree with this, I disagree with the way you formulated it initially. There's a difference between sharing recovery codes with 2-3 trusted people vs. posting them literally everywhere which your original post seemed to imply.
Yea but the chances of some dude in Bangladesh finding out your 2fa code because you lost your wallet approaches 0%. Joe Blow from Kentucky ain’t gonna be the one stealing your account.
They are, however, secret codes, and should be regarded as confidential. Just because you can divulge them without direct harm does not mean you should publish them on billboards and Facebook for safekeeping.
This is true but isn't relevant to my advice. If you can't see the difference between keeping a nondescript piece of paper at the bottom of a drawer at your parents' house and posting it on Facebook then you should not be making any decisions relevant to security. And using the word "secret" causes people to treat the codes as more precious than they really are, and make bad decisions like not printing them at all.
1. System reports "print out these recovery codes and deposit them in multiple places so you will never lose access to your account". User John Doe posts his security codes on his Facebook page and gets hacked.
2. System reports "print out these security codes and store them in a safe place". User prints them out and stores them in a drawer, but his house burns down and the user loses access forever.
Both scenarios are shitty, but I think 1 is more likely.
Of course, you could write a detailed guideline on where to store your codes, and that you should share them with some trusted people but not everyone etc. But who's gonna read that?
People who understand security already take threat models into account, but those who don't need very simple guidelines.
Please do not treat them this way. They do not grant access to your account. Print many copies of your recovery codes and spread them around. Wallet, home, car, parents' house, etc. It doesn't matter if they get stolen or whatever, again they don't grant access to your account, and they can be revoked at any time.
I know that educating people about this is not a scalable solution to the problem of people getting locked out of their accounts. But maybe it could help you, reader of this comment, if you someday need recovery codes.