Backup codes are single-use emergency codes provided when you enable 2FA. They're your safety net if you lose your phone or authenticator app.
How Backup Codes Work
When you enable 2FA, most services generate 8–10 one-time codes. Each code can only be used once — after use, it's permanently invalidated. They work even when your authenticator app is unavailable.
Where to Store Them
- Password manager (best option) — encrypted, synced, searchable. Store alongside the password and TOTP secret for that account.
- Printed paper — physical copy, offline, can't be hacked. Store securely.
- Encrypted file on offline USB — good for the paranoid.
Never store backup codes in plain text on your computer, in email, or in cloud notes (unless encrypted).
What NOT to Do
- Don't screenshot and leave in your photos — these are synced to cloud and easily found
- Don't store in the same place as your password
- Don't ignore the "save backup codes" prompt — this is the only time they're shown
What If You've Run Out of Backup Codes?
Most services let you regenerate backup codes in security settings if you're currently logged in. Do this before you run out.
Lost Both Phone AND Backup Codes
Your options: 1) Use your saved Base32 TOTP secret key in another TOTP generator, 2) Contact the service's account recovery — identity verification required, can take days to weeks, 3) Some services verify via backup email address.
Generate codes without your phone — ZeroPhantom's free 2FA generator →