Most accounts with two factor authentication (2FA) provide you with backup codes to use in case your phone is lost or stolen. For example, Google provides a list of 10 backup codes when setting up 2FA. These codes need to be stored securely but also need to be accessible. If anyone is able to obtain the 2FA codes, they can bypass 2FA on my account.
Some people have suggested printing out the codes and storing them in your luggage. Instead, I've been putting the backup codes in a digital crypto store with a unique key known only to me. I am using client-side encryption which requires special software which I may not have access to while traveling.
As my phone is the only computing device I have when I travel, I'm trying to cut out the requirement for decryption software. I'd also like to retain control of my keys so a vault with key knowledge (Dropbox, Google Drive, etc) is also out of the question.
Therefore, I am considering another option. Instead of storing the backup codes in a digital vault that requires software for decryption, what if I encrypt them with the manual one-time pad method (text char + key char then mod 26) and make the ciphers publicly available? When I lose my phone, I can decrypt the ciphers by hand with the key I memorize without needing special software.
This provides a couple additional benefits:
- I can store the encrypted backup codes in multiple locations such as my wallet, my luggage, and on a publicly-accessible webpage.
- I only need to memorize one key for all my backup codes across multiple accounts.
- It does not matter if my backup code ciphers get lost or stolen.
My question is: Is this a secure method for storing 2FA backup codes? What are the security risks? What am I overlooking?