Numbers

TOTP Backup Code Generator

A TOTP backup code generator helps you create one-time recovery codes for two-factor authentication systems — the safety net users reach for when their phone is lost, replaced, or broken. Services like Google, GitHub, and Dropbox each generate 8 to 10 of these codes during initial 2FA setup, and replicating that pattern in your own applications requires getting the format and character set right from the start. This generator lets you configure the number of codes and the display format, so you can prototype exactly what users will see during your app's onboarding. The codes use ambiguity-free character sets — no zeros that look like the letter O, no ones that look like lowercase Ls — which reduces transcription errors when users type codes under stress. Developers building custom authentication flows can use these codes to test UI layouts, validate input masks, and populate staging environments without touching production cryptography. Security teams can use them for tabletop exercises and internal documentation that needs realistic-looking but non-sensitive example data. For production systems, always generate backup codes server-side using a cryptographically secure random number generator (CSPRNG). This tool uses Math.random(), which is suitable for design, testing, and educational purposes but not for codes that will protect real accounts.

How to Use

  1. Set the Number of Codes field to match how many backup codes your system or design requires (default is 10).
  2. Choose a Format from the dropdown — pick the pattern that matches your application's expected code structure.
  3. Click Generate to produce a full set of backup codes in the selected format.
  4. Review the list for readability, then copy the codes to use in your UI mockup, test database, or documentation.

Use Cases

  • Prototyping the backup code display screen in a 2FA onboarding flow
  • Populating a staging database with realistic recovery codes for QA testing
  • Generating example codes for security training slides or documentation
  • Testing input validation and masking rules for backup code entry fields
  • Demonstrating 2FA recovery UX to stakeholders without exposing real credentials
  • Creating recovery tokens for internal admin tools with custom auth systems
  • Filling design mockups with correctly formatted backup code examples
  • Auditing how your UI handles different code formats before launch

Tips

  • Match the format exactly to your production system before testing input validation — a format mismatch will give false passes.
  • If your app displays codes in a monospace font, test your chosen format with one to catch wrapping or alignment issues early.
  • Generate two or three sets in different formats side by side to help stakeholders agree on a standard before development begins.
  • Numeric-only formats are easier for users to type on mobile but harder to distinguish at a glance — use alphanumeric for printed codes.
  • When writing security documentation, use codes from this tool rather than redacting real ones — it removes any risk of accidental exposure.
  • Pair this generator with a password strength or entropy tool when designing your full authentication system to ensure consistent security UX.

FAQ

What are 2FA backup codes used for?

Backup codes are single-use emergency tokens that let a user log in when they cannot access their authenticator app — for example, after losing their phone or switching devices. Each code can only be used once, so the service marks it as consumed after a successful login. Most platforms provide 8 to 10 codes and allow regeneration, which invalidates the old set.

Are the codes this generator produces cryptographically secure?

No. This generator uses JavaScript's Math.random(), which is not a cryptographically secure random number generator. The codes are suitable for UI prototyping, QA testing, and documentation. For real user accounts, generate backup codes server-side using a CSPRNG — such as crypto.randomBytes() in Node.js, secrets.token_hex() in Python, or your platform's equivalent.

How many backup codes should I generate for users?

Most major services provide 8 to 10 codes, which balances having enough for emergencies without creating a large attack surface if the codes are stolen. Ten is the most common default. For internal tools with a small user base, fewer codes with a clear regeneration flow can work just as well.

What format should backup codes be in?

The XXXX-XXXX format (two groups of four characters separated by a hyphen) is widely recognized and easy to read aloud or transcribe. Longer formats like XXXXXX-XXXXXX or numeric-only 8-digit codes are also common. Whichever you choose, avoid characters that are visually ambiguous — specifically 0/O and 1/I/l — and keep the format consistent across all codes in a set.

How should users store their backup codes?

The safest options are printing the codes and storing them in a physically secure place, or saving them in a password manager like 1Password or Bitwarden. Avoid plain text files on the desktop or unencrypted email drafts. Remind users to regenerate codes after using one, and to generate a fresh set whenever they update their 2FA device.

Can I use this generator to test my authentication system's code validation?

Yes, for functional and UI testing these codes work well. Generate a batch that matches your production code format, then insert them into your test database to verify that your validation logic, input masking, and one-time-use enforcement all behave correctly. Just replace them with CSPRNG-generated codes before any real user data is involved.

What happens when a user runs out of backup codes?

Your system should allow users to regenerate a new set after authenticating through another method — or through an account recovery workflow. When a new set is generated, all previous codes must be invalidated immediately. Make this regeneration step prominent in your security settings UI so users do not discover they have no valid codes during an actual emergency.