Skip to main content
Back to Numbers generators

Numbers

Recovery Code Generator

Used by developers, writers, and creators worldwide.

A recovery code generator creates sets of one-time backup codes used to regain account access when your 2FA device is unavailable. This tool produces alphanumeric codes in three formats — XXXX-XXXX, XXXXXXXX, or XXXX-XXXX-XXXX — matching the structures used by platforms like GitHub, Stripe, and Google Workspace. Ambiguous characters (0, O, 1, I, l) are excluded so codes stay readable from a printed sheet or dictated over a call. Generate between 1 and any count you need, pick your format, and every code is produced client-side. Nothing leaves your browser. Use this for testing 2FA recovery flows, seeding documentation with realistic examples, or understanding what properly structured backup codes look like before building your own system.

Loading usage…

Free forever — no account required

How to use

  1. Choose your options above
  2. Click Generate
  3. Copy your result

Detailed instructions

  1. Set the 'Number of codes' field to how many backup codes you need — 10 is standard for most accounts.
  2. Choose a format from the dropdown that matches your platform's expected code structure, defaulting to XXXX-XXXX.
  3. Click Generate to produce a fresh set of codes in your chosen format.
  4. Copy the full list and paste it directly into your password manager's notes field for this account.
  5. Optionally print the codes and store the sheet in a physically secure location as a second backup.

Use Cases

  • Seeding a 2FA enrollment UI in Storybook with realistic-looking XXXX-XXXX-XXXX format codes
  • Simulating code exhaustion in a staging environment to verify lockout and regeneration error states
  • Filling a security runbook or internal wiki with properly formatted recovery code examples
  • Generating placeholder codes to populate a Cypress test fixture for a 2FA recovery flow
  • Creating a printed backup sheet before an international trip where phone access is unreliable

Tips

  • After generating, immediately test one code in a staging or sandbox environment to confirm the format is accepted before relying on it.
  • Never screenshot recovery codes on a mobile device — photos sync to cloud services and can expose codes to unauthorized access.
  • If you're building a 2FA system, generate codes in batches of 10 and hash each one before storing — never store codes in plaintext, even recovery ones.
  • Regenerate the full set whenever you use even one code; a partially used list is harder to track and signals your account has been in a compromised state.
  • For team-shared accounts, store recovery codes in a shared password manager vault with access logging, not in a group chat or shared document.
  • When choosing between formats, longer codes like XXXX-XXXX-XXXX offer more entropy but are slower to type accurately under stress — weigh security against usability for your audience.

FAQ

are recovery codes generated here safe to use in production

No — this tool uses JavaScript's Math.random(), which is not a cryptographically secure RNG. For real user accounts, generate recovery codes server-side with a CSPRNG like crypto.randomBytes() in Node.js or secrets.token_hex() in Python. This generator is built for testing, prototyping, and documentation.

why are characters like 0, O, 1, and l missing from the codes

Those characters are visually ambiguous in most fonts, especially on printed paper or small screens. Excluding them means every character in a code has a clearly distinct shape, which cuts down on transcription errors when someone is typing from a sheet or reading codes aloud to support staff.

how many recovery codes should i generate for my app

Most platforms issue 8 to 16 codes per user — 10 is a solid default. If you're building a system, consider warning users via email or a dashboard banner when fewer than 3 codes remain so they regenerate before running out entirely. This generator lets you test that exhaustion state by producing small batches on demand.