2FA Backup Codes Explained
Backup codes — sometimes called recovery codes — are the safety net for two-factor authentication. They are a short list of one-time passwords that let you sign in when you do not have your authenticator app, for example after losing your phone. If you remember one thing about 2FA, make it this: save your backup codes somewhere safe.
What backup codes are
When you enable 2FA, the service generates a set of single-use codes — typically 8 to 10 of them — and shows them once. Each code logs you in exactly one time, standing in for your authenticator's 6-digit code. Once a code is used, it is dead. When you run low you regenerate a new set, which invalidates the old one.
Where each service shows them
| Service | Count | Where |
|---|---|---|
| 10 | Security → 2-Step Verification → Backup codes | |
| GitHub | 16 | Settings → Password and authentication → Recovery codes |
| Discord | ~10 | User Settings → Account → 2FA → View Backup Codes |
| Microsoft | 1 | account.live.com → Security → Advanced → Recovery code |
| Facebook / Instagram | ~10 | Security → Two-factor authentication → Recovery codes |
| Most others | 5–10 | Shown right after you enable 2FA — save them then |
How to store them safely
- Best: save them in a password manager (1Password, Bitwarden, etc.) as a secure note.
- Good: print them and keep the paper somewhere only you can access.
- Avoid:a plain screenshot in your phone's photo library that syncs unencrypted to the cloud — that is the first place an attacker who breaks into your cloud account would look.
- Subtle but important:do not store an account's backup codes inside the same account they protect (e.g. your email's codes in that email's drafts).
What to do if you lose your backup codes
If you are still logged in or still have your authenticator, just regenerate them: open the same 2FA settings page and click Generate new codes. This invalidates the old set, so update wherever you stored them. If you are locked out entirely — no codes and no authenticator — you are into account recovery.
See how to recover 2FA access →Backup codes vs an authenticator backup
Backup codes get you in once each; a backup of your TOTP secret restores the code generator itself. They complement each other. 2FAA can export your secrets to a file and import them on another device, so you keep generating the real codes even after losing a phone — with backup codes as the fallback on top.
Don't rely on a single device
Hold your TOTP secrets in 2FAA, keep an export as a backup, and store each service's backup codes in your password manager. Free, browser-based, nothing leaves your device.
FAQ
What are 2FA backup codes?
Backup codes (also called recovery codes) are a short list of one-time passwords a service generates when you enable 2FA. Each one logs you in once as a substitute for your authenticator's 6-digit code, so you can still get in if you lose your phone or authenticator app.
What should I do if I lose my backup codes?
If you are still logged in or still have your authenticator, just regenerate them in the service's 2FA settings — this creates a new set and invalidates the old one. If you are locked out entirely, with no codes and no authenticator, you will need to go through the service's account recovery process.
Can I reuse a backup code?
No. Each backup code works exactly once and is then consumed. That is why services give you a list of them — cross off each code as you use it, and regenerate a new set before you run out.
How many backup codes do services give you?
Typically 8 to 10. Google provides 10, GitHub provides 16, Discord around 10. Microsoft is the exception — it issues a single recovery code that you regenerate after use.
Is it safe to store backup codes in a password manager?
Yes — a reputable password manager is one of the best places for them. The one caveat: don't store an account's backup codes inside the same account they protect (for example, your email's codes saved in that email). Keeping them in a separate, well-secured vault avoids a single point of failure.
Related reading: Lost your phone?, 2FA code not working?, 2FA FAQ