The idea is that the second factor, such as requesting a confirmation code via your email, isn’t actually known to the attacker, so they have no way to get a recovery code.

If they have you logging in with your email address, then also use that email address for 2FA confirmation, that’s just badly designed.

The recovery code ideally wouldn’t be stored in the same place as the password itself. Common recommendation is to write it down on paper and store it somewhere, and keeping it as a single use option to prevent it from being reused indefinitely.

Kind of.

Most attacks aren’t targeted. 2FA, even with a recovery code, requires an attacker to both get the password and get the recovery code.

Since recovery codes are only kept with the individual and the service it means that an attacker would need to hack the service itself, and if they could do that then they wouldn’t need your account credentials.

Most account compromises happen because of password reuse.

Here’s an example. I have an account on Website A and Website B. I use the same password for both.

Website A gets hacked and all the usernames and passwords are leaked online.

Hackers take the passwords from Website A and try them on Website B. Since I used the same password on both they now can login to website B.

Now if I have 2FA enabled on website B they login with the password but they don’t have my 2FA so they fail to login. Even if I had recovery codes with Website B the attacker still doesn’t have those because they weren’t stored with Website A.

There’s some good info here, but I think a lot have missed the point. Let me add my .02…

There are several ways to authenticate somebody behind a keyboard. For many years, we’ve relied on “something you know.” That is, a password.

We could also authenticate you based on “something you are.” So… fingerprints, retina scan, palm vein, even walking gait.

Lastly, we can authenticate based on “something you have.” A “key file,” a phone, an RSA key.

Two factor authentication (2FA), or Multi factor authentication (MFA), uses a combination of two or more of these methods. So when you’re setting up 2FA and they provide you with backup codes, this is still “something you have” and should be used as a last resort to reconfigure your MFA as necessary.

To answer your question: No, the backup/recovery code is not a password. Your password is your password. Your recovery code will allow you to reconfigure your MFA solution in the event you lose the “something you have” factor of your MFA solution.

The second factor doesn’t have to be linked to a device. It can be linked to an email, which you can access from any device.

The idea is it’s now twice has hard for an attacker to get your password, because they need the verification code from either your device or email, but they don’t know your email or have access to your device, so they would need to gain access to that in order to break in.

It just needs to be a second factor (2 factor identification) it doesn’t need to be a physical device.

You have three doors to bypass before you can get into your house. Each door has its own key. Now, if a thief steals your bag and you accidentally put all 3 keys inside it, well, you are done. But what if the thief steals your bag and only finds 1 key, well, you are still safe. The thief with 1 key cannot get inside your house behind 3 doors.

But remember to change your keys, no matter 1 or 3 keys are stolen.

The point of Two Factor is that it *utterly* precludes replay attacks and regular password theft. Yes, you do have a recovery code which permits you to re-set your 2FA device/app, but that code is never transmitted over the wire, so it’s far, far more difficult to capture and decrypt.

[deleted]

It’s the “Something you have, and something you know” model. The something you have part reduces the likelihood of an attackers success by orders of magnitude (no clue to real number but probably a lot).

A really important concept in security is that of a threat model. Basically, you don’t design security measures around any and all attackers, you have to design it around the sort of bad guys you actually expect to face. Doing otherwise is a waste of resources.

E.g. if you have a shop, putting alarm tags on products is effective at dealing with shoplifters, but will do nothing against armed robbers. That’s okay, because, for most shops, shoplifters are a real problem but armed robbers really aren’t. Bullet proof glass and armed security are incredibly pointless expenses for Primark. If you’re a jeweler, though, you are in the business of selling sufficiently valuable goods that an armed robbery becomes a concern.

For most people, having recovery codes in a file on their computer or phone (or even written on a piece of paper on their desk) is fine, because the purpose of 2FA isn’t to deter the people who might get access to your computer or phone, but rather to deter random people online who managed to guess your password somehow.