What Are 2FA Backup Codes?
When you enable two-factor authentication on most services, you're given a set of backup codes, a list of one-time-use emergency access codes. They exist for exactly one purpose: getting back into your account if you lose your authenticator device.
Backup codes bypass your regular 2FA method. Each code can only be used once, and then it's permanently invalidated.
What Backup Codes Look Like
Backup codes are typically presented as a list of 8–10 codes, each 8–10 characters long. Common formats:
Google format (8 groups of 8 digits):
83749201
72948301
61837492
...
GitHub format (short alphanumeric):
a8f3-9e2b
c7d1-4f5a
...
Dropbox format (3 groups with dashes):
73928 18374 29384
...The exact format varies by service, but they all work the same way: enter one during login when prompted for your 2FA code, and it grants one-time access.
How Many Backup Codes Do You Get?
Most services provide 8–10 backup codes. Here's what major platforms offer:
| Service | Number of codes | Can regenerate? |
|---|---|---|
| 10 codes | Yes (invalidates old ones) | |
| GitHub | 16 codes | Yes |
| 10 codes | Yes | |
| Twitter/X | 12 codes | Yes |
| Dropbox | 8 codes | Yes |
| Microsoft | 8 codes | Yes |
Where to Store Backup Codes (Secure Options)
Option 1: Password Manager (Best for Most People)
Store backup codes as a secure note in your password manager (Bitwarden, 1Password, etc.) alongside the account credentials. Pros: always available, encrypted, searchable. Con: If you lose access to your password manager and your 2FA device simultaneously, you're in trouble, so always have a second backup location.
Option 2: Printed and Stored Physically
Print backup codes and store them in a secure physical location, such as a home safe, a lockbox, or a file with other important documents. This is offline and immune to hacking. Pros: no digital risk. Cons: can be lost, damaged by fire/water, and not accessible remotely.
Option 3: Encrypted File in Cloud Storage
Create a text file with your backup codes, encrypt it (with VeraCrypt, 7-Zip, or your password manager's export), and store it in cloud storage. Gives you remote access without storing plaintext codes online.
What NOT to Do
- Don't store them in plain text in Dropbox or Google Drive. Unencrypted codes in cloud storage are as good as public if your cloud account is compromised
- Don't screenshot them on your phone camera roll syncs to cloud and is accessible from your phone, which could be lost or stolen
- Don't email them to yourself; email is frequently compromised, and codes sitting in your inbox are a liability
- Don't store them in the same app as your 2FA codes, losing the app loses both your codes and your backup
When and How to Use a Backup Code
- Go to the login page of the service
- Enter your username and password
- When prompted for your 2FA code, look for a link like "Try another way," "Use a backup code," or "Lost your phone?"
- Select "Backup code" or "Recovery code"
- Enter one of your unused backup codes (format varies by site, some need dashes, some don't)
- Access is granted for this session
- Immediately after logging in: go to your security settings and re-enroll your new device for 2FA, then generate new backup codes (which invalidate the remaining old ones)
Managing Your Backup Codes
- Track which codes you've used, cross them off your printed list, or delete them from your password manager note after use
- Regenerate when running low if you've used several codes. Regenerate the full set before you run out
- Regenerate when changing devices whenever you reset 2FA on a new device, generate new backup codes, and securely delete the old set
- Regenerate if you suspect exposure, if your backup code storage may have been accessed. Regenerate immediately
Frequently Asked Questions
What happens if I use all my backup codes?
Once all backup codes are used, generate a new set immediately in your account's security settings. If you've used all codes AND lost access to your authenticator, you'll need to use the service's account recovery process (which is much slower and may require identity verification).
Can backup codes be used more than once?
No, each backup code is a one-time use token. Once it's been used, it's permanently invalidated. This is by design: if someone else gets a copy of your backup codes, they can only use each one once, and you'll notice missing codes when you check.
Are backup codes secure?
As secure as how you store them. The codes themselves are cryptographically random, typically providing 40–80 bits of entropy, essentially impossible to guess. The security risk comes from how you store them, not from the codes themselves.
Do backup codes expire?
Unused backup codes generally don't expire with time (unlike TOTP codes). They remain valid until used or until you regenerate your code set. Some services may invalidate them if you change your password or make major account changes. Check the specific service's policy.
I lost all my backup codes and my authenticator. What now?
Use the service's account recovery process. Each service handles this differently. See our guide: Lost Your 2FA Device? Here's What to Do. For critical accounts, this can take days. This is why storing backup codes in at least two secure locations is so important.
