[eternityforest]

That's one reason I definitely prefer SMS auth to any other method at the moment.

What if your phone is damaged while traveling and you are away from where you stored your recovery keys?

[rtsil]

Whenever I add a new 2FA token, I always add it to my phone and a TOTP app (Authy) on my computers. Same thing for recovery keys.

[lxgr]

You can always bring a paper recovery code or FIDO authenticator (both of which are safe against SIM swapping attacks).

[FrenchDevRemote]

we've been told for decades to "not write passwords on postits" and we're really back to square one...

[lxgr]

It's not a password, it is a secondary, single-use recovery second factor.

Carrying that around in a wallet doesn't make you any more vulnerable to physical attackers than carrying your Yubikey on a keyring, and it's much more secure against remote attacks than SMS-2FA (where you can fall victim to SIM swapping, number porting attacks etc).

[charcircuit]

ideally the paper would be in a safety deposit box / safe and not stuck to your monitor.

[FrenchDevRemote]

If it fits your need to have it a fixed location, then yes.

But he talked about traveling.

IDK about you but I don't travel with a safe in my backpack

[lxgr]

Just put it in your wallet and/or luggage. Without your account name and password, it's useless to any potential thief.

[justinclift]

Lots of people's luggage include enough info to work out their name and likely home location, which is commonly enough to work out their username for a lot of popular services.

That makes the whole "stolen luggage" thing even far riskier. :/