Loading...
Loading...
Securely store or share two-factor authentication backup codes. View once, then gone.
Backup recovery codes are the printable list a service hands you the day you turn on two-factor authentication. Google issues ten 8-digit codes, GitHub sixteen XXXXX-XXXXX codes, Microsoft a 25-character recovery key, AWS root MFA ten alphanumeric strings. Each code is single-use, and the remaining list is the only thing between you and a permanent lockout if your authenticator phone goes overboard.
The default places people stash codes are uniformly hostile. Screenshotted to the camera roll, the printable PDF is OCR-indexed by iCloud Photos and searchable inside the account it is supposed to protect. Pasted into Apple Notes or Google Keep, codes sync across every signed-in device. Dropped into a Gmail draft, they sit in All Mail forever.
PasteOnce fits the narrow handoffs recovery codes actually need: giving a copy to a spouse for incapacitation, lodging a sealed copy with an estate executor before high-risk travel, or moving a freshly regenerated set to a device where your password manager is not yet signed in. Pair it with regenerate-after-use discipline.
Client-side encrypted. We can't see your data.
Your data is encrypted in your browser before it leaves your device.
Messages are automatically deleted after being read once.
We never see your data. Only encrypted blobs pass through our servers.
Links work exactly once. Refresh the page and it's gone forever.
Your sensitive data is encrypted in your browser using AES-256-GCM. The encryption key is generated randomly and never sent to our servers.
Only the encrypted blob is stored in our database, with an automatic expiration time. We literally cannot read your data.
When your recipient opens the link, the encrypted data is fetched and immediately deleted from our servers using an atomic Redis GETDEL. The key in the URL hash decrypts the message in their browser.
Google, GitHub, Microsoft, Twitch, and Discord all expose a 'Generate new codes' button that invalidates the previous list atomically. Treat 'logged in with a recovery code' and 'rotate the whole list' as one inseparable action.
If you store the printout offline, separate the codes from any string identifying the account they belong to. A burglar finding sixteen XXXXX-XXXXX strings has nothing; the same sheet labelled 'github.com — alice@example.com' is a target.
For accounts whose loss would damage your life — primary email, banking, password-manager master — give a sealed envelope or PasteOnce link to one person reachable in a crisis. Refresh annually so codes do not silently expire alongside an account migration.
1Password's Document field, Bitwarden's Secure Note, and Dashlane's Secure Notes accept the codes encrypted under your master vault. This survives device loss — provided the vault is not the account you are recovering.
Before crossing a border known for compelled-device unlock, a journalist regenerates recovery codes for her email and Signal, sends one set to a colleague via PasteOnce, and wipes the local copy. If the phone is taken, she still has a path back.
A widowed parent runs the family finances from one Gmail address controlling every billing relationship. Their adult child receives a PasteOnce link with current Google and Microsoft recovery codes; the parent resends each January, and the printout sits in a safe.
An engineer replaces SMS 2FA with a YubiKey 5C on the AWS root account. The console issues a fresh set of recovery codes. They PasteOnce the codes to a machine where 1Password is signed in, drop them into a Secure Note, and the link expires.
No. The QR encodes a TOTP secret that produces a fresh six-digit code every 30 seconds indefinitely. Backup codes are a separate list of single-use strings printed once. Sharing the seed gives permanent live access; one backup code gives exactly one login.
Yes — more than before. A WebAuthn passkey synced through iCloud Keychain or Google Password Manager is unreachable if you lose that synchroniser, and most services still treat recovery codes as the trump card. Regenerate whenever you add a passkey device.
Apple Legacy Contact, Google Inactive Account Manager, and Facebook Memorialization cover some of this in-platform; the rest is patchy. For other accounts, lodge a sealed printout with your estate attorney and document which accounts the codes belong to in your will.
Both, in different places. A printed copy in a home safe survives a digital compromise; a digital copy in a password manager you do not use to reach that account survives a house fire. The worst mistake is keeping the digital copy in the inbox the codes recover.