Why shouldn't I email 2FA recovery codes?

Email is not encrypted end-to-end and stores copies of messages indefinitely. If you email recovery codes, they become a permanent vulnerability if the email account is ever compromised.

Nurbak

The onboarding process for a new employee is a critical moment for IT security. You give them access to Slack, email, the CRM, and AWS. And of course, you enforce Multi-Factor Authentication (MFA/2FA) on all accounts.

But there's a catch: Recovery Codes.

When an IT administrator sets up an account for a user (or resets their MFA), the service generates a list of "Backup Codes" or "Recovery Codes". These codes are designed to bypass 2FA if the user loses their phone.

The dilemma is: How do you get these highly sensitive codes to the employee?

The "Initial Secret" Problem

If you take a screenshot of the codes and email it to the new hire, you've just broken the security model.

Email is persistent: Those codes will sit in the "Sent" folder of the IT admin and the "Inbox" of the employee forever.
The "Break Glass" Risk: Recovery codes are literally the keys to the castle. If an attacker compromises the employee's email, they find these codes and can bypass 2FA on other services.

The Secure Workflow for HR and IT

To send 2FA codes securely without leaving a paper trail, follow this "Zero-Trace" workflow using Nurbak:

Step 1: Setup

The IT Admin enables MFA on the employee's account and generates the recovery codes.

Step 2: Isolate

Instead of saving a file or taking a screenshot, copy the text of the codes.

Step 3: Encrypt and Burn

Paste the codes into Nurbak.

Crucial Setting: Select "Burn after reading" (1 View).

Step 4: Delivery

Send the Nurbak link to the employee via their personal email or onboarding chat.

Step 5: Completion

The employee clicks the link, copies the codes to their password manager (like 1Password or Bitwarden), and the link destroys itself.

Why this matters for Compliance

For SOC2 or ISO 27001 audits, demonstrating that you have a secure employee onboarding process is vital. Using ephemeral links proves that you are minimizing the attack surface by ensuring that secrets (like recovery codes) do not exist in plain text in your communication logs.

Conclusion

Recovery codes are the "master key" if 2FA fails. Treat them with the same respect as a root password.

Don't email them. Nurbak them.

How to Securely Send 2FA Recovery Codes to Employees

The "Initial Secret" Problem

The Secure Workflow for HR and IT

Step 1: Setup

Step 2: Isolate

Step 3: Encrypt and Burn

Step 4: Delivery

Step 5: Completion

Why this matters for Compliance

Conclusion

Nurbak Team

Ready to secure your secrets?

The "Initial Secret" Problem

The Secure Workflow for HR and IT

Step 1: Setup

Step 2: Isolate

Step 3: Encrypt and Burn

Step 4: Delivery

Step 5: Completion

Why this matters for Compliance

Conclusion

Nurbak Team

Ready to secure your secrets?

Read Next

PrivateBin vs. Nurbak: Should You Self-Host Your Secrets?

Nurbak vs. OneTimeSecret: Why Modern Teams Are Switching (2026)

The SysAdmin Guide: How to Send Temporary Root Credentials to External Contractors