Skip to main content
Back to Numbers generators

Numbers

TOTP Backup Code Generator

Used by developers, writers, and creators worldwide.

A TOTP backup code generator lets you create one-time recovery codes that mirror what services like GitHub, Google, and Dropbox hand users during 2FA setup. Developers building custom authentication flows need realistic codes to prototype onboarding screens, test input validation, and seed staging databases before any real cryptography is involved. This generator lets you choose how many codes to produce (up to any batch size) and pick from three real-world formats: XXXX-XXXX, XXXXXXXX, or XXX-XXX-XXX. All output uses ambiguity-free characters — no O/0 or I/1/l confusion — so what you test in Figma or Storybook behaves the same way users experience it under pressure.

Loading usage…

Free forever — no account required

How to use

  1. Choose your options above
  2. Click Generate
  3. Copy your result

Detailed instructions

  1. Set the Number of Codes field to match how many backup codes your system or design requires (default is 10).
  2. Choose a Format from the dropdown — pick the pattern that matches your application's expected code structure.
  3. Click Generate to produce a full set of backup codes in the selected format.
  4. Review the list for readability, then copy the codes to use in your UI mockup, test database, or documentation.

Use Cases

  • Seeding a staging database with 10 correctly formatted recovery codes per test user for Cypress end-to-end auth tests
  • Populating Figma mockups of a 2FA onboarding screen with realistic XXXX-XXXX format codes before any backend exists
  • Generating example codes for a Notion security runbook or internal documentation without exposing real account credentials
  • Testing input mask validation and one-time-use enforcement logic in a Node.js or Django authentication module
  • Producing dummy recovery tokens for stakeholder demos of a custom admin portal's 2FA recovery UX

Tips

  • Match the format exactly to your production system before testing input validation — a format mismatch will give false passes.
  • If your app displays codes in a monospace font, test your chosen format with one to catch wrapping or alignment issues early.
  • Generate two or three sets in different formats side by side to help stakeholders agree on a standard before development begins.
  • Numeric-only formats are easier for users to type on mobile but harder to distinguish at a glance — use alphanumeric for printed codes.
  • When writing security documentation, use codes from this tool rather than redacting real ones — it removes any risk of accidental exposure.
  • Pair this generator with a password strength or entropy tool when designing your full authentication system to ensure consistent security UX.

FAQ

are these backup codes safe to use in a real authentication system

No. This generator uses JavaScript's Math.random(), which is not cryptographically secure. For real user accounts, generate codes server-side with a CSPRNG — crypto.randomBytes() in Node.js, secrets.token_hex() in Python, or your platform's equivalent. These outputs are safe for UI prototyping, QA seeds, and documentation only.

what format should 2fa backup codes use

XXXX-XXXX is the most widely recognised format — easy to read aloud, easy to transcribe, and familiar from Google and GitHub. The XXX-XXX-XXX option suits longer codes where extra grouping reduces errors. Whichever format you pick, keep it consistent across the full set and strip visually ambiguous characters like 0, O, 1, I, and l.

how many backup codes should an app give each user

Most major services default to 8 to 10 codes, which gives users enough for emergencies without creating a large attack surface if the list is stolen. Ten is the most common choice. For internal tools with a small user base, six codes with a clear regeneration flow is a reasonable minimum.