Free 2FA Backup Codes Generator
Generate single-use recovery codes for two-factor authentication. Default format is XXXXX-XXXXX, unambiguous charset so they survive being read off paper. Configurable count, group count, group length, and charset. Runs in your browser.
Print or save these somewhere safe. Each can only be used once.
How to use these codes
Print the list. Cut it up if you want, and store each code in a different location for extra safety. When your authenticator app is unavailable, enter one code in the “use a backup code” field at sign-in. Each code only works once, so cross it off when used.
If you run out of codes, regenerate the set in your account settings (most services let you revoke the old list and produce a new one).
Backup codes vs other 2FA recovery
- Backup codes (this tool) — printed paper. Most reliable; survives phone loss and internet outage.
- Recovery email — only as secure as the email account. Make sure that account also has 2FA.
- Hardware key (YubiKey, etc.) — strongest factor. Buy two and keep one as a backup.
- SMS recovery — avoid. SIM-swap attacks make SMS the weakest 2FA factor.
Frequently asked questions
Backup codes (also called recovery codes) are single-use codes that let you sign in to a 2FA-protected account when you cannot access your authenticator app — phone lost, broken, or out of battery. Most services generate a set of 8-10 codes when you enable 2FA.
Print them and store the printout somewhere safe — a fireproof safe, a bank safety-deposit box, or with a trusted family member. Do not store them in the same password manager that holds the password, or in a cloud note that an attacker who steals the password could read.
8-10 is the typical default. Each code is single-use, so the count should be high enough that you don't run out before re-enabling 2FA on a new device.
Backup codes are usually read off paper and typed by hand. The unambiguous charset removes characters that look alike (0/O, 1/l/I) so you can't mis-type a code that's supposed to be valid.
Yes. Codes are generated entirely in your browser using crypto.getRandomValues. Nothing is sent to a server.
