Numbers
TOTP Backup Code Generator
A TOTP backup code generator lets you create one-time recovery codes that mirror what services like GitHub, Google, and Dropbox hand users during 2FA setup. Developers building custom authentication flows need realistic codes to prototype onboarding screens, test input validation, and seed staging databases before any real cryptography is involved. This generator lets you choose how many codes to produce (up to any batch size) and pick from three real-world formats: XXXX-XXXX, XXXXXXXX, or XXX-XXX-XXX. All output uses ambiguity-free characters — no O/0 or I/1/l confusion — so what you test in Figma or Storybook behaves the same way users experience it under pressure.
How to use
- Choose your options above
- Click Generate
- Copy your result
Detailed instructions
- Set the Number of Codes field to match how many backup codes your system or design requires (default is 10).
- Choose a Format from the dropdown — pick the pattern that matches your application's expected code structure.
- Click Generate to produce a full set of backup codes in the selected format.
- Review the list for readability, then copy the codes to use in your UI mockup, test database, or documentation.
Use Cases
- •Seeding a staging database with 10 correctly formatted recovery codes per test user for Cypress end-to-end auth tests
- •Populating Figma mockups of a 2FA onboarding screen with realistic XXXX-XXXX format codes before any backend exists
- •Generating example codes for a Notion security runbook or internal documentation without exposing real account credentials
- •Testing input mask validation and one-time-use enforcement logic in a Node.js or Django authentication module
- •Producing dummy recovery tokens for stakeholder demos of a custom admin portal's 2FA recovery UX
Tips
- →Match the format exactly to your production system before testing input validation — a format mismatch will give false passes.
- →If your app displays codes in a monospace font, test your chosen format with one to catch wrapping or alignment issues early.
- →Generate two or three sets in different formats side by side to help stakeholders agree on a standard before development begins.
- →Numeric-only formats are easier for users to type on mobile but harder to distinguish at a glance — use alphanumeric for printed codes.
- →When writing security documentation, use codes from this tool rather than redacting real ones — it removes any risk of accidental exposure.
- →Pair this generator with a password strength or entropy tool when designing your full authentication system to ensure consistent security UX.
FAQ
are these backup codes safe to use in a real authentication system
No. This generator uses JavaScript's Math.random(), which is not cryptographically secure. For real user accounts, generate codes server-side with a CSPRNG — crypto.randomBytes() in Node.js, secrets.token_hex() in Python, or your platform's equivalent. These outputs are safe for UI prototyping, QA seeds, and documentation only.
what format should 2fa backup codes use
XXXX-XXXX is the most widely recognised format — easy to read aloud, easy to transcribe, and familiar from Google and GitHub. The XXX-XXX-XXX option suits longer codes where extra grouping reduces errors. Whichever format you pick, keep it consistent across the full set and strip visually ambiguous characters like 0, O, 1, I, and l.
how many backup codes should an app give each user
Most major services default to 8 to 10 codes, which gives users enough for emergencies without creating a large attack surface if the list is stolen. Ten is the most common choice. For internal tools with a small user base, six codes with a clear regeneration flow is a reasonable minimum.
What are 2FA backup codes for?
They are one-time recovery codes that let a user regain access to an account if they lose their authenticator device or phone — each code works once, as a fallback for the normal second factor. Without them, losing the device can mean being locked out. The generator produces sets of these codes in common formats, so you can model or test a backup-code recovery flow.
How should users store backup codes safely?
Somewhere offline and separate from the device that generates their main 2FA codes — printed and kept securely, or saved in a password manager — never in plain text next to their login. The whole point is that they survive losing the phone. When building a real system, generate codes server-side with a secure library; this tool is for learning, testing, and mockups of that flow.
You might also like
Popular tools from other categories that share themes with this one.
Try these next
More free tools from other corners of the catalog, picked by shared themes.