How many should I generate?

**Google**: 10 (default). **GitHub**: 16. **Microsoft**: 1 (long alphanumeric). **Industry standard**: **8-16**. Generate **10-12**: 2-3 years of typical usage with margin (1-2 lost-phone events, 2FA ecosystem transitions).

Where do I keep them?

**NOT in the same password manager that holds your 2FA secrets** (single point of failure). **Best places**: - **Paper printout** in a home safe / drawer - **Wallet copy** (small card) - **Encrypted file** on an external drive **Ideal: two copies in physically separate places**. **Never**: plaintext file on the laptop, iCloud screenshot, unlocked Notes.

Do codes leave the browser?

**No**. Generation, copying, .txt export: all **local**. **DevTools → Network** = no requests. Codes **vanish from memory** when you close the tab.

What if a service requires a specific format?

**Most services** accept **"XXXX-XXXX-XXXX"** or plain alphanumeric. Our options cover both conventions. If a service has a **strict format** (e.g. "XX-XX-XX-XX-XX-XX"), pick length 12, "Plain", and manually insert dashes before pasting.

Are codes unique within the batch?

**Yes**. The generator checks each new code against earlier ones. With a 32-char alphanumeric alphabet at length 10 the **collision probability is ~10^-12**, retries rarely needed, but we do them for safety.

**Hex** (0-9a-f) = devops classic. Easy to type, but **longer** (more chars for the same entropy). **Alphanumeric** (without l/1/o/0): more compact, easier to dictate. **Digits**: lowest per-char entropy, but fastest on a numeric keypad. **Standard** at Google/GitHub: **alphanumeric**.

Can I use backup codes as my primary password?

**No**, backup codes are **single-use**. Each works once, then it's burned. For a primary password use the [password generator](/en/password-generator) or [passphrase](/en/passphrase-generator). **Backup codes are a 2FA fallback only**.

2FA Backup Codes Generator - free

Your backup codes0 codes

Number of codes10

Code length10

Character set

Format

Codes are generated in your browser and never sent anywhere.

Generate a TOTP secret for an authenticator app

What do I do if I lose my phone with 2FA?

Generates a batch of backup / recovery codes: 4-20 single-use codes for account recovery when you lose your 2FA device.

The same thing GitHub, Google, GitLab, Microsoft hand out when you turn 2FA on: a printable code sheet to stash somewhere safe.

Each code is cryptographically random, unique within the batch, all generated in your browser.

How to use it

Code count: 8-10 is the standard (Google ships 10, GitHub 16). Plenty for years.

Length: 10 chars = sweet spot. 6 for hand-typing, 16+ for paste-only.

Charset: alphanumeric (without l/1/o/0, easier to dictate), hex (0-9a-f, dev classic), digits.

Dash format (XXXX-XXXX-XXXX), easier to scan. Plain for paste-friendly.

Click "Download .txt" or copy all, stash in 2-3 places (safe, wallet, encrypted drive). One copy = too few (lose them and you lose the account).

When this is useful

Six typical situations where a sheet of recovery codes saves you from losing the account:

Enabling 2FA on GitHub/GitLab/Google/Microsoft. They give you 8-16 codes; here you can generate your own.
Crypto wallet. Recovery codes in case you lose your Ledger or other hardware key.
Password manager master. Recovery codes as a last-resort fallback if you forget the master.
Corporate SSO (Okta, Azure AD). Emergency login codes for when the Authenticator phone goes missing.
Corporate VPN. Emergency access.
Any 2FA system where you want a fallback besides the phone.

After generating: save in 2-3 places right away. Don't keep them on the same laptop as your password manager (single attack vector).

Questions and answers

Single-use codes that substitute for 2FA when you lose access to the phone / hardware key. GitHub, Google, AWS, etc. issue them when you set up 2FA. Each code = one login; once used it's burned from the valid list. Hence "backup", a contingency for losing your primary 2FA factor.

What do I do if I lose my phone with 2FA?

Generates a batch of backup / recovery codes: 4-20 single-use codes for account recovery when you lose your 2FA device.

The same thing GitHub, Google, GitLab, Microsoft hand out when you turn 2FA on: a printable code sheet to stash somewhere safe.

Each code is cryptographically random, unique within the batch, all generated in your browser.

How to use it

Code count: 8-10 is the standard (Google ships 10, GitHub 16). Plenty for years.

Length: 10 chars = sweet spot. 6 for hand-typing, 16+ for paste-only.

Charset: alphanumeric (without l/1/o/0, easier to dictate), hex (0-9a-f, dev classic), digits.

Dash format (XXXX-XXXX-XXXX), easier to scan. Plain for paste-friendly.

Click "Download .txt" or copy all, stash in 2-3 places (safe, wallet, encrypted drive). One copy = too few (lose them and you lose the account).

When this is useful

Six typical situations where a sheet of recovery codes saves you from losing the account:

Enabling 2FA on GitHub/GitLab/Google/Microsoft. They give you 8-16 codes; here you can generate your own.
Crypto wallet. Recovery codes in case you lose your Ledger or other hardware key.
Password manager master. Recovery codes as a last-resort fallback if you forget the master.
Corporate SSO (Okta, Azure AD). Emergency login codes for when the Authenticator phone goes missing.
Corporate VPN. Emergency access.
Any 2FA system where you want a fallback besides the phone.

After generating: save in 2-3 places right away. Don't keep them on the same laptop as your password manager (single attack vector).

Questions and answers

2FA Backup Codes Generator

What do I do if I lose my phone with 2FA?

How to use it

When this is useful

Questions and answers

Related tools

Password Generator

Passphrase Generator

PIN Generator

2FA Backup Codes Generator

What do I do if I lose my phone with 2FA?

How to use it

When this is useful

Questions and answers

Related tools

Password Generator

Passphrase Generator

PIN Generator