Backup codes for 2FA testing
When a user loses their authenticator device, backup codes (also called recovery codes) let them back into an account. This tool generates realistic sets of them in the common formats so you can wire up and test the setup screen, the “save your codes” prompt, and the recovery input field without touching a real auth provider.
How it works
You pick a format and a count. The generator draws each character from the alphabet that matches the format:
- 8-digit numeric — like
4810 2937, digits only. - 10-character alphanumeric — like
g7k2m9q4xz, a Crockford-style base32 alphabet with ambiguous characters removed. - Hyphenated 5x5 — like
a9f2k-7m3qx, two groups of five for easier reading.
Randomness comes from crypto.getRandomValues when the browser exposes it, falling back to Math.random. Each code in a set is independent, mirroring how a real provider issues a batch at enrolment.
Tips and notes
- In production, never store backup codes in plain text. Hash each one (the same way you would a password) and mark it consumed on first use.
- The hyphenated format is the most user-friendly for codes a person reads aloud or types from paper.
- Generate a fresh set whenever a user regenerates codes — old codes should all be invalidated at once.