2FAApp Local-first security tools
Use tools

Understand and safely store recovery codes before or during account recovery.

2FA Backup Codes Guide

Learn what backup codes are, where to find them, how to store them, and when to regenerate them.

Backup codes are issued by the platform you are protecting, not by a generic generator.
Most backup codes are one-time recovery secrets. Used or regenerated codes should be considered invalid.
Store them offline and separate from the phone or password manager that holds the normal sign-in path.

What backup codes are

A backup code is a platform-issued recovery secret you can use when the normal authenticator is unavailable. NIST treats saved recovery codes as look-up secrets, so they help availability but are not phishing-resistant.

Where to find them

Look inside each platform's security settings after 2FA is enabled. Examples include GitHub Recovery codes, Google Backup codes, Discord Backup Codes, Facebook Recovery codes, and Cloudflare Backup codes.

How to store and rotate them

Print them, write them down, or store them in a dedicated emergency vault. Regenerate them after a recovery event, after suspected exposure, or when the platform shows that too many codes are already used.

Recovery actions

  • Collect backup codes for every high-value account and label each set with the platform name.
  • Store one copy offline and one controlled team copy for business-critical shared systems.
  • Record the date you generated each set.
  • Regenerate a set immediately after using one code for recovery.

Important limits

  • Sample backup-code generators are useful for internal test systems only.
  • A backup-code screenshot saved on the same lost phone is not a reliable recovery plan.
  • Some platforms invalidate old codes as soon as you generate a new set.

Related pages

2FA Readiness Checklist Score whether an account or team is ready to enable 2FA without creating recovery gaps. How to Set Up 2FA on GitHub Enable GitHub two-factor authentication, save recovery codes, and understand passkey and organization requirements.

Related questions

What are backup codes? Backup codes are one-time codes generated by the platform you are protecting. Store them somewhere safe and separate from the device that holds your authenticator. What should I do if I lost my phone with 2FA enabled? Use backup codes if you have them, check whether any device is still logged in, start the platform's official recovery process, and protect your phone number and email from takeover.