Pattern for keeping 2fa recovery codes in Vault

So I haven’t really found a great way to handle my recovery codes for various 2fa services out there. They seem to be a list of a handful of codes that in the event of me losing my 2fa device or ability to use it would let me get back into the account. After one use of one code, it cannot be used again.

Is there a way to store this kind of list in vault, and request the “next code” using the api somehow, so that everytime I ask for one, the old one gets removed or marked as used, and then the next time one is needed, I would get the next unused one?

No, there isn’t a feature in Vault that would work like this.

Vault isn’t really designed to be secret storage for an individual’s personal credentials. It’s more aimed at complex computer infrastructure.

Arguably, there is something to be said for keeping people’s 2FA recovery codes available to take care of and interact with that complex computer infrastructure, but fair enough. Thanks for your reply.

One of the great things about Vault is if certain functionality isn’t available “out of the box” you are able to create your own secret engine to do whatever you want. However I would suggest that for personal password storage some of the other systems (LastPass, Bitwarden, etc.) are usually better choices, as they have more focussed features for that use case, such as emergency access, browser auto-completion, etc.

Thanks for your suggestion! I have a working solution for my passwords, it’s specifically the recovery codes for 2fa that I would prefer to not have in the same system as those passwords. I am integrating Vault for my server-side secrets primarily, but it would be nice to have somewhere to offload this particular type of storage, so I was hoping to kill two birds with one stone.

Of course, spending a couple of hours adding some frontend functionality might work, I was just hoping I could just lean back with an umbrella drink instead, while I got all of it for free. :slight_smile: