2FA Backup Codes: What They Are, Where to Find Them, and How to Use Them

Backup codes are the emergency key for your 2FA-protected accounts. Most people never think about them — until they're locked out.

What Are 2FA Backup Codes?

Backup codes are a set of one-time-use codes generated when you enable two-factor authentication. Each code can be used once in place of your regular 2FA code to log in — typically used when you can't access your authenticator app or phone.

Where to Find Your Backup Codes

Backup codes are only shown once — at the time of 2FA setup. If you didn't save them, you'll need to regenerate them (while you still have 2FA access).

To regenerate backup codes, go to the security settings of each service and look for "Backup codes", "Recovery codes", or "Emergency codes."

How Many Backup Codes Do I Get?

Most services provide 8–10 backup codes. Google gives 10. Each code can only be used once. Once used, they're invalidated. You can regenerate a fresh set at any time, which invalidates the old ones.

How to Store Backup Codes Safely

The goal is to make your backup codes accessible when you need them, but not accessible to an attacker.

• Best: Store in a password manager (1Password, Bitwarden, etc.) in a secure note attached to the account
• Good: Print them and store in a secure physical location (safe, locked drawer)
• Avoid: Screenshots in your phone's photo library — easily accessed if your phone is compromised
• Never: Email them to yourself or store in an unencrypted text file

How to Use a Backup Code

1. On the 2FA login screen, look for "Use a backup code", "Enter a recovery code", or "Try another way"
2. Enter the code exactly as written — usually 8 digits or alphanumeric
3. The code will be invalidated after use
4. After logging in, immediately reconfigure your 2FA method and generate new backup codes

How Many Backup Codes Should I Keep?

Keep all of them until you've used some. Once you've used 3–4, generate a fresh set. Never let yourself get to zero remaining codes without addressing the underlying 2FA issue.

What Backup Codes Actually Are

Backup codes are one-time-use authentication codes generated by a service when you first enable two-factor authentication. They are designed specifically for the scenario where your primary 2FA method (phone, authenticator app, hardware key) is unavailable. Each code works exactly once — when you use it, the service marks it as consumed and it cannot be reused.

Most services generate between 8 and 12 backup codes at the time of 2FA setup. They are typically 8–12 alphanumeric characters and look something like: 7f9a-2b4c or 49284 73820. The format varies by service but the purpose is the same: a static, pre-generated emergency credential that bypasses the need for your second factor.

How to Use a Backup Code

When you attempt to sign in and are asked for your 2FA code, look for a link that says something like "Use a backup code", "Can't access your authenticator?", or "Try another way". Clicking this takes you to a text field where you enter one of your saved backup codes. The service verifies it against its list of unused codes for your account, and if it matches, grants access.

Once the code is used, it disappears from your list. Most services show you how many codes remain. When you are running low — typically below 3 or 4 — generate a new batch, which also invalidates all remaining old codes.

Where to Store Backup Codes

The most practical place for most people is a password manager. Store backup codes as a secure note attached to the account entry, or as a custom field. When you need them, you can access them from any device where your password manager is installed.

For high-security accounts, storing a printed copy in a physically secure location (a home safe, filing cabinet, or safe deposit box) provides a backup that cannot be wiped remotely. Avoid storing codes in plain text on your phone or computer — if your device is compromised, an attacker with your device could access both your password and your backup codes.

Never store backup codes in the same place as the password for that account, and never store them somewhere easily accessible to others in your household without context about what they are.

When Backup Codes Cannot Help

There are situations where backup codes are not the right solution. If you never generated or saved them, they are not available — unlike TOTP codes which can be re-generated from the secret, backup codes can only be retrieved from the service if you are already authenticated. This is a chicken-and-egg problem that requires account recovery instead.

Some services do not offer backup codes at all — typically smaller applications or those using simple SMS-based 2FA. For these services, your only fallback is the recovery options the service provides (typically email or phone verification).

Regenerating Backup Codes

You can generate a new batch of backup codes at any time from your account's security settings. Doing so immediately invalidates all previously issued codes. Generate new codes if: you have used most of your existing codes; you believe your codes may have been seen by someone else; you are doing a security audit of your accounts; or you cannot find your saved codes and want to start fresh.

After generating new codes, update your stored copy immediately. Generating new codes without storing them defeats their purpose.

Backup Codes vs Other Recovery Methods

Backup codes are one of several recovery mechanisms. Compared to the alternatives: a backup phone number (SMS) is convenient but vulnerable to SIM swapping. A recovery email is only as secure as that email account. Trusted contacts (Facebook's model) depend on the responsiveness of other people. Backup codes, stored securely, are the most reliable self-contained recovery method because they depend only on you.