Ryan, thank you so much for that tip about taking a photo of the QR code and storing it off for use later!! I’ve had to call AWS support more than once either when my phone lost its mind or when I upgraded phones. 🙂
Even better: Click the link under the QR code, get the code, store the code in your password manager. No photos needed, and easier to manage with copy-paste.
You ARE using a password manager, right? Right? RIGHT?
if you are on Android, you can use Authenticator+, it cost a couple of bucks but it lets you sync all of your MFA to other devices… and restore if the device is lost. (this is pretty awesome if you have over 100 MFA codes…)
I store a few of my MFA codes in 1Password, but I feel like if my MFA and PW are in the same storage then I’m less secure, so I like having them firewalled.
You could put the QR code into Stocard too 😀
From the security point of view, I don’t recommend the option of store the QR code (or string code), is another management/security headache.
AWS provides a process to access in case of MFA problem (I tested a few months ago).
What If an MFA Device Is Lost or Stops Working? http://amzn.to/2GZMt5D (URL edited, doesn’t works the long one)
Basically, using this process bypass the MFA, doesn’t disable the current MFA (you need to do it manually after access to the account and change it).
IMO, storing the QR image or the code, while it can be done more or less secure, the fact that is available is a risk anyways, specially if you put in your password manager, that probably, also manages your root account password :-). Just sync the MFA to your phone and another trusted team member at the same time.