Use case

How to send 2FA backup codes securely

Backup codes are literal skeleton keys to your accounts — and most people hand them over through email, Slack or WhatsApp, where they sit in searchable history forever. Here is how to get a code to the right person without leaving a copy anywhere.

Send a code over a disappearing chat — free, no sign-up

Why the usual channels are the wrong place for backup codes

A two-factor backup code exists for exactly one reason: it bypasses your second factor. Anyone who finds one can walk straight into the account it belongs to. That makes the channel you send it through as important as the code itself.

Email is the worst offender. A code sent by email lives in the sender's outbox, the recipient's inbox, both providers' servers, and every device that syncs either mailbox — indefinitely, fully indexed and searchable. If either mailbox is ever compromised, a quick search for "backup code" surfaces it in seconds.

Messaging apps are only marginally better. WhatsApp, Telegram and Slack all keep the message in history by default, back it up to the cloud, and sync it to every logged-in device. Even apps with disappearing modes usually persist the message somewhere first — in a backup, a notification log, or an export.

The safe pattern is simple: the code should exist in transit and nowhere else. Once the recipient has stored it properly (in a password manager, not a screenshot), no copy should remain on any server, in any history, on any device.

The safe ways to hand off a backup code

  • 1. A shared password-manager vault — best for ongoing access

    If you and the recipient already share a 1Password, Bitwarden or Proton Pass vault, put the code there. It is encrypted end-to-end, access is auditable, and nothing travels over a chat channel at all. The catch: it only works when both sides already use the same manager — which is rarely true for family members or one-off situations.

  • 2. A disappearing chat — best for a one-off handoff

    FadeChats gives you a private two-person room where messages travel peer-to-peer over an encrypted WebRTC channel and are never stored on any server. Send the code, confirm the other person saved it, close the tab — no history, no backup, no copy anywhere. No accounts or installs needed on either side, which makes it practical for the exact situation backup codes create: an urgent, one-time transfer to someone who won't install a tool for it.

  • 3. A self-destructing note — fine for one-way drops

    Services like Privnote or One-Time Secret encrypt a note and delete it after one read. Solid for a single code, but one-way: if the recipient needs to confirm, ask which account it belongs to, or request the next code, you're back on an insecure channel for the follow-up.

  • 4. In person or over a call — the analog fallback

    Reading a code aloud over a phone call leaves no digital copy (assuming neither side records). Slow and error-prone for long codes, but it works when nothing else is available.

Where a copy of your code ends up

ChannelServer copyDevice historySearchable later
EmailYes — both providers, indefinitelyEvery synced deviceYes
Slack / TeamsYes — workspace historyEvery logged-in deviceYes
WhatsApp / TelegramBackups and multi-device syncYes, unless manually deletedYes
Self-destructing noteUntil first readNoNo
FadeChatsNever — peer-to-peer onlyGone when the tab closesNo
Shared vaultEncrypted end-to-endEncrypted app storageOnly inside the vault

Behavior as of July 2026. Cloud-backup settings can change what messaging apps retain.

Sending a code over FadeChats

  1. Open FadeChats

    A private room is created instantly — no form, no email, no password.

  2. Send the one-time invite link

    Share it over any channel, even an insecure one. The link redeems exactly once and expires in minutes, so an intercepted link that was already used is worthless.

  3. Paste the code, confirm, close

    The code travels directly between your two browsers. Wait for the other person to confirm they stored it in their password manager, then close the tab — the conversation is gone and no copy ever touched a server.

The honest recommendation

If both of you live in the same password manager, use a shared vault — it's the right long-term home for a backup code anyway. For everything else — helping a parent recover an account, handing a teammate an emergency code, a one-off transfer to someone who won't install anything — use a disappearing chat and let the channel erase itself.

Frequently asked questions

Is it really unsafe to email a backup code and delete it after?

Deleting your copy doesn't delete the recipient's copy, the provider's server copies, or any backup either mailbox made in between. Email deletion removes one of many copies — the rest remain searchable.

What if someone intercepts the FadeChats invite link?

The invite link redeems exactly once and expires after 10 minutes. If your recipient already used it, an intercepted link is dead. If someone else redeems it first, your intended recipient can't get in — you'd notice immediately, and no code has been sent yet.

Can the other person screenshot the code?

Yes — no tool can truly prevent screenshots, including apps that claim to. The realistic goal is eliminating copies you don't control: server logs, chat histories and backups. The recipient is supposed to keep the code; the point is that nobody else does.

Where should the recipient store the code once they have it?

In a password manager entry, ideally attached to the account's login item. Not in a screenshot, a notes app, or the chat history of another messenger — that just recreates the problem one hop away.