Is it safe to save a screenshot of my QR code?
For MFA I now use Authy (owned by Twilio) instead of Google Authenticator. I find Authy more convenient because it syncs your accounts between several devices and several authy installations which Google Authenticator will not do. Authy also displays the remaining time before a token times out so that you can see if it is about to expire. I also take a screenshot of every QR code so that I can register it again with a new device or a new MFA app. I can confirm that a token from Authy works to authenticate with AWS. There is also another MFA app named FreeOTP which I did not try.
If someone "found" that image file from the QR screenshot, and they "guessed" my password, what would prevent them from impersonating me without me noticing it?
For example, someone has FreeOTP, has the QR code screenshot and knows my AWS password (highly unlikely but possible). I tested reading an screenshot of a QR code and register it with FreeOTP. FreeOTP did start generating a valid token (same as in authy).
What I really want to know is: Is it a security concern to save a screenshot of the QR code?