What is a 2FA backup code and when do I actually use one?

A backup code is a single-use recovery key for an account protected by two-factor authentication. When your phone with the authenticator app is lost, broken or unreachable, you type one backup code instead of the usual 6-digit token to get back in. For example GitHub hands you 16 codes the moment you turn on 2FA, and you keep them for exactly that emergency. Each code is consumed once, so a sheet of 10 lets you recover up to 10 times before you must regenerate.

How is this different from the GitHub or Google format?

It reproduces those shapes. GitHub shows roughly 10 to 16 codes of grouped characters, Google shows 10 codes of 8 digits, Discord uses similar grouped strings. Here you set the count, the number of groups and the characters per group, so you can match xxxxx-xxxxx (two groups of five) or 12345678 (one group of eight digits). Switch the character set to plain digits for read-aloud codes or to letters plus digits for denser ones, and the separator to a hyphen, a space or nothing.

How should I store the codes once I generate them?

Offline and in more than one place. Click Download .txt and print the sheet, then lock the paper in a drawer or a safe; or write the codes by hand. A second copy in a separate location covers fire or loss. Avoid leaving the only copy in a plaintext file on the same laptop that holds your password manager, because a single breach would then take both factors. If you must keep a digital copy, put it inside an encrypted vault entry rather than a loose note.

Why does each code only work once?

Single use is the security model. When you redeem a backup code on the real service, that provider marks it spent so a code seen over your shoulder or left in an old screenshot cannot be replayed. This tool mirrors that idea with a Mark used button you can tick as you spend codes, so your printed sheet always shows what is left. When you are down to one or two unused codes, generate a fresh set on the provider and retire the old sheet.

Is the randomness actually safe if it runs in my browser?

Yes. The codes come from crypto.getRandomValues, the browser cryptographic random source backed by the operating system, never from Math.random. Selection uses rejection sampling so every character is equally likely, with no modulo bias that would quietly shrink the real entropy. A 10-character code from a 32-symbol set carries about 50 bits, shown live in the strength panel. Generation is 100% local, so the bytes that become your recovery keys are never transmitted anywhere.

Set up a self-hosted service that lacks a recovery flow

You just enabled TOTP on a self-hosted app (Vaultwarden, Gitea, a home NAS) that issues the secret but never offers downloadable backup codes. Generate ten codes here in the GitHub shape, paste them into the app's own recovery list if it has one, or simply print and store them as your manual fallback. If the authenticator app is ever wiped, the printed sheet is the only thing standing between you and a locked-out admin account.

Hand a team a printable break-glass sheet

A small ops team shares a couple of critical accounts behind 2FA. Generate a sheet of codes, print it, and seal it in an envelope kept in the office safe as the break-glass path for when the on-call phone is unreachable. Each code is single use, so after anyone opens the envelope and spends a code, the team knows to regenerate and reseal. The Mark used toggle keeps the working copy honest.

Pre-stage recovery codes before a trip with no signal

Before traveling somewhere with poor connectivity or while swapping to a foreign SIM, SMS and push prompts may not reach you. Generate a short sheet of digit-only codes that are easy to read from a printout in dim light, store it in your wallet separately from your phone, and you still have a way past 2FA if the network drops at the worst moment.

Teach 2FA recovery in a security workshop

Running an onboarding or security-awareness session, you want every attendee to see what real backup codes look like and practice storing them, without touching anyone's live account. Generate sample sheets in the Google 8-digit shape and the GitHub grouped shape side by side, hand them out, and walk through where each copy should live. Nothing leaves the room because nothing leaves the browser.

Backup Codes Generator for 2FA Recovery

Generate 2FA backup and recovery codes the GitHub way, formatted, unique, and made in your browser

Runs locally
Category Developer & DevOps
Best for Formatting, validating, shrinking, or inspecting code-adjacent text.

Character set

How many codes

Groups per code

Chars per group

Separator

Strength

Entropy per code (bits)

50.0

Code shape

xxxxx-xxxxx

Your backup codes

Click Generate to produce backup codes.

Only the format options ride in the URL. The codes themselves stay on this page and never enter the link.

Keep these safe

Store this sheet offline — print it or write it down and lock it away. Each code works exactly once, so cross it off after use. Anyone holding a code can get past your second factor, so treat the list like a spare key.

What this tool does

Generate two-factor authentication backup codes, the printable recovery codes you keep for the day your phone is lost, wiped or out of battery. The tool builds a sheet of N codes (10 by default), each split into even groups such as xxxxx-xxxxx or xxxx-xxxx-xxxx, drawn from pure digits or from letters and digits with the look-alike glyphs 0 O 1 I l removed so a handwritten copy stays readable. Every code is cryptographically random, generated with crypto.getRandomValues, and guaranteed unique inside the batch. You see the entropy per code, copy the whole set, download it as a plain .txt sheet to print, and tick off each code as you spend it, since a backup code works exactly once. Nothing is uploaded and the codes never ride in the URL. Pick the format that matches GitHub, Google, Discord or your own provider, then store the sheet offline.

Tool details

Input: Numbers; The page exposes text boxes, numeric controls, file pickers, or structured inputs depending on the tool.
Output: Live result + Copy + Download; The result area focuses on usable output, with copy, download, or preview actions when supported.
Privacy: Browser-side processing; The main tool logic does not call an external API, so inputs normally stay in the current tab.
Save / share: Shareable URL state; Key settings are encoded in the URL so another person can reopen the same setup.
Performance budget: Initial JS <= 9 KB; No WASM budget is declared, keeping the tool quick to open on mobile.
Best fit: Developer & DevOps · Developer; Category and role tags drive related tools, internal links, and quick fit checks.

How to use

1. Input

Paste or drop your content into the tool panel.
2. Process

Click the button. All processing is local in your browser.
3. Copy / Download

Copy the result or download to disk in one click.

How Backup Codes Generator fits into your work

Use it in the small gaps between coding, reviewing, debugging, and shipping.

Developer jobs

Formatting, validating, shrinking, or inspecting code-adjacent text.
Preparing snippets for documentation, tickets, commits, or handoff.
Checking a small payload quickly without switching tools.

Developer checks

Run irreversible transforms like minify or obfuscate on a copy.
Keep secrets out of pasted snippets unless the tool explicitly stays local.
Use your normal tests or linter before shipping transformed code.

Good next steps

These links move the current task into a more complete workflow.

Real-world use cases

Set up a self-hosted service that lacks a recovery flow
You just enabled TOTP on a self-hosted app (Vaultwarden, Gitea, a home NAS) that issues the secret but never offers downloadable backup codes. Generate ten codes here in the GitHub shape, paste them into the app's own recovery list if it has one, or simply print and store them as your manual fallback. If the authenticator app is ever wiped, the printed sheet is the only thing standing between you and a locked-out admin account.
Hand a team a printable break-glass sheet
A small ops team shares a couple of critical accounts behind 2FA. Generate a sheet of codes, print it, and seal it in an envelope kept in the office safe as the break-glass path for when the on-call phone is unreachable. Each code is single use, so after anyone opens the envelope and spends a code, the team knows to regenerate and reseal. The Mark used toggle keeps the working copy honest.
Pre-stage recovery codes before a trip with no signal
Before traveling somewhere with poor connectivity or while swapping to a foreign SIM, SMS and push prompts may not reach you. Generate a short sheet of digit-only codes that are easy to read from a printout in dim light, store it in your wallet separately from your phone, and you still have a way past 2FA if the network drops at the worst moment.
Teach 2FA recovery in a security workshop
Running an onboarding or security-awareness session, you want every attendee to see what real backup codes look like and practice storing them, without touching anyone's live account. Generate sample sheets in the Google 8-digit shape and the GitHub grouped shape side by side, hand them out, and walk through where each copy should live. Nothing leaves the room because nothing leaves the browser.

Common pitfalls

Keeping the only copy in a plaintext file on the same device as your password manager. One breach then takes both factors at once. Print the sheet or store it inside an encrypted vault entry, and keep a second copy somewhere physically separate.
Reusing a code you already spent. Backup codes are single use; the real provider marks each one consumed on first redemption, so a code that worked last month will simply be rejected. Tick the Mark used toggle as you go and regenerate when only one or two remain.
Treating these codes as a substitute for the provider's own list. This tool makes correctly formatted random codes, but the account is only protected once the matching codes are registered with the real service. Generate, then enroll or save them where that specific provider expects.

Privacy

Every backup code is produced by JavaScript running inside your browser tab, using crypto.getRandomValues. No code, count or format is ever sent to a server, and the generated codes are deliberately kept out of the shareable URL: only the format options (count, groups, separator, character set) are encoded there, never the secrets themselves. Because these codes are account recovery keys, do not paste them into chat or email; download the .txt and keep it offline.

FAQ

Tool combos

Folks in your role tend to reach for these alongside this tool.

Developer

Browse all tools for this role

Backup Codes Generator for 2FA Recovery

What this tool does

Tool details

How to use

1. Input

2. Process

3. Copy / Download

How Backup Codes Generator fits into your work

Developer jobs

Developer checks

Good next steps

Real-world use cases

Set up a self-hosted service that lacks a recovery flow

Hand a team a printable break-glass sheet

Pre-stage recovery codes before a trip with no signal

Teach 2FA recovery in a security workshop

Common pitfalls

Privacy

FAQ

TOTP Generator

Password Generator

API Key Generator

Diceware Passphrase Generator

AI Eval Planner

Apache Cheatsheet

API Rate Limit Cheatsheet

ASCII Table Generator

ASCII Table Reference

awk + sed Cheatsheet

AWS CLI Cheatsheet

AWS IAM Cheatsheet