🛟 2FA Backup Code Generator

Last updated: April 28, 2026

🛟 2FA Backup Code Generator

Generate cryptographically secure one-time recovery codes for your accounts.

Store these offline only — print on paper or write in a physical notebook. Never screenshot or store in cloud notes. Each code can only be used once.
Backup Codes
Copied!

Tick a code after using it to mark it as spent. Regenerate when you're running low.

The Complete Checklist for Using 2FA Backup Codes Without Losing Access Forever

Two-factor authentication is one of the smartest security decisions you can make. It stops the vast majority of account takeovers cold — even when your password leaks. But there is a trap that catches thousands of users every year: losing access to their phone and discovering, at the worst possible moment, that 2FA is a locked door with only one key. Backup codes are that second key. Here is how to use them correctly, from generation to the moment you actually need one.

Step 1 — Understand What Backup Codes Actually Are

A backup recovery code is a single-use, pre-generated secret that substitutes for your authenticator app or SMS code when you cannot produce one. Most services (Google, GitHub, Dropbox, Discord, and dozens of others) provide a fixed batch — usually eight to twelve codes — when you first enable 2FA. Each code works exactly once. After you enter it, it is permanently invalidated on the server side. This one-time property is what keeps them secure: a code seen by an attacker over your shoulder cannot be reused.

Generating your own local set of backup codes (as this tool does) is useful when you want to plan ahead before enabling 2FA on a new service, when a service does not offer official backup codes, or when you want a private offline reference you control completely before touching any service's settings.

Step 2 — Always Use a Cryptographically Secure Source

Not all randomness is equal. A backup code generated with Math.random() in a browser or a simple timestamp hash is predictable — an attacker who knows the rough time of generation and your browser version could brute-force the full batch in minutes. The tool on this page uses crypto.getRandomValues(), the Web Cryptography API, which pulls entropy from the operating system's CSPRNG (Cryptographically Secure Pseudo-Random Number Generator). This is the same source used by password managers and professional security tools.

When evaluating any backup-code generator, confirm it explicitly states CSPRNG usage. If it does not mention the source of randomness, treat it as insecure.

Step 3 — Choose the Right Format for Your Situation

Alphanumeric codes (like XKQM-3NR7) are the industry default. They use a deliberately pruned character set — no letter O, no digit 0, no letter I, no digit 1 — to eliminate transcription errors when you read them from paper. This is the format to use for most situations.

Numeric codes (84721-09345) are better when the person storing them is less comfortable with mixed-case letters, or when the recovery form on a specific site only accepts digits. They are slightly weaker per character but length compensates.

Hex codes (a3f9-22c1-84be) offer maximum entropy density per character and are ideal if you are storing codes in a structured file like a password manager that handles arbitrary strings well.

Step 4 — Generate More Codes Than You Think You Need

Ten codes sounds like a lot until you realise: you will use one when you get a new phone, one when you travel and forget your authenticator is tied to biometrics, one when your phone dies mid-trip. A batch of ten can vanish faster than expected over a two-year period. Generate at least ten, ideally sixteen. Services that only give you eight codes by default make it easy to burn through half of them before you notice.

Keep a mental or physical counter. If you have used more than half, generate and register a new batch immediately — not when you are down to your last code in an emergency.

Step 5 — Store Them Offline, in Multiple Physical Locations

This is the step most people skip because it feels inconvenient. It is also the most important.

  • Print the codes on paper and store the printout in a locked drawer or a fireproof document box at home.
  • Write them in a dedicated notebook (a small, plain notebook used only for this purpose) and store it separately from your devices.
  • Give a sealed envelope to a trusted person — a family member, a lawyer, whoever holds your emergency documents — for true disaster recovery.

What you must never do: screenshot and save to iCloud Photos, paste into Google Keep, store in an unencrypted text file on your Desktop, or email them to yourself. If your online accounts are compromised, these locations fall simultaneously. The entire value of backup codes comes from their offline nature.

Step 6 — Label Every Set of Codes

Write the service name, your username, and the date of generation on the same paper as the codes. Unlabelled codes are nearly useless — in six months you will have no idea which batch belongs to which service, and you will be afraid to enter a code from the wrong set.

Example label: GitHub — [email protected] — Generated 2026-06-23

Step 7 — Invalidate Old Codes When You Generate New Ones

Every time you generate a fresh batch and register it with a service, the old batch is immediately invalidated. This is good — it means stolen old codes cannot be used. But it also means you must update your physical storage immediately. Cross out the old printout or, better, shred it. Replace it with the new printout in the same location. Confusion between old and new batches is a common source of failed recovery attempts.

Step 8 — Test Recovery Before You Actually Need It

Log out of an account, then log back in using one of your backup codes instead of your authenticator. This does three things: it confirms the codes are valid, it confirms you can find and read them under mild pressure, and it consumes one code — reminding you to keep count. Do this test within the first week of setting up 2FA on any important account. Do not wait until your phone is at the bottom of a lake in a foreign country.

Step 9 — Integrate Backup Code Management Into Your Password Manager Workflow

If you use a password manager (and you should), add a secure note to each login entry that says where the physical backup codes for that account are stored — not the codes themselves, but the location. Example: "Backup codes for this account are in the red notebook, second shelf, home office." This way, finding your codes in an emergency is a two-step process: open the password manager for the location hint, go to that physical location. It keeps codes offline while making them findable.

Step 10 — Know What to Do When You Run Out

If you reach your last code, do not use it yet. First: log in with it, immediately navigate to your 2FA settings, and generate a completely new batch of codes. Register the new batch, print it, store it. Then invalidate the old batch from the service's settings. If you have already used the last code and are locked out, contact the service's account recovery process — most require identity verification (government ID, trusted device, backup email) and take one to five business days. This is painful. It is why counting your remaining codes matters.

The Short Version (Keep This Visible)

  • Generate codes from a CSPRNG source only.
  • Generate at least 10, preferably 16.
  • Print and label them immediately.
  • Store offline, in two separate physical locations.
  • Never store in cloud apps, screenshots, or unencrypted files.
  • Test one code within the first week.
  • Track how many remain — regenerate when below 50%.
  • Shred old batches when you generate new ones.

Backup codes are not exciting. They are a paper slip in a drawer. But on the day your phone is stolen, broken, or simply out of battery in an airport, that slip of paper is worth more than any piece of technology you own. Treat it accordingly.

FAQ

How many backup codes should I generate for each account?
Generate at least 10 codes per account, and ideally 16. While 8 may seem sufficient, codes get consumed faster than expected — new phone setups, travel situations, and occasional lockouts can burn through a small batch within a year or two. Keep count: once you have used more than half, generate and register a fresh batch immediately rather than waiting until you are critically low.
Is it safe to generate backup codes in a browser tool like this?
Yes, provided the tool uses the Web Cryptography API (crypto.getRandomValues) and runs entirely client-side with no network calls. This tool generates all codes locally in your browser using CSPRNG entropy sourced from your operating system — no code is ever transmitted anywhere. You can disconnect from the internet before clicking Generate and the tool will work identically.
What is the difference between alphanumeric, numeric, and hex backup codes?
Alphanumeric codes use letters and digits from a pruned set (no O/0 or I/1 confusion) and are the most human-friendly for manual transcription. Numeric codes use only digits and are useful when a recovery form accepts numbers only, or when sharing codes with less tech-comfortable users. Hex codes pack the most entropy per character and work well when codes are stored in a structured password manager vault. For most people, alphanumeric is the safest default.
Can I store my backup codes in a cloud password manager?
Storing codes in a reputable, end-to-end encrypted password manager (Bitwarden, 1Password, etc.) is a reasonable middle-ground for accounts you consider lower-risk. However, for your most critical accounts — email, banking, primary cloud storage — the safest approach is a physical offline copy only. If an attacker gains access to your password manager, cloud-stored backup codes and 2FA are defeated simultaneously. Physical storage eliminates that single point of failure.
Do backup codes expire automatically?
Backup codes themselves do not have time-based expiry — they remain valid indefinitely until used or until you regenerate a new batch (which invalidates the old one). However, some services do expire unused backup codes after a long period (12–24 months) as a security policy. Always check the specific service's documentation, and schedule an annual review of all your 2FA setups to verify codes are still valid and you know where your physical copies are.
What should I do if I find old backup codes but I am not sure if they are still valid?
The safest approach is to log into the affected account using your normal authenticator, navigate to the security or 2FA settings, and check whether backup codes are listed as active. If you see an option to 'view existing codes' or 'regenerate codes', the old codes on paper may still be valid. Do not attempt to use an old code as your only recovery method without verifying this first. If in doubt, regenerate a new batch (invalidating the old), print the new set, and destroy the old paper.