ValidEmailChecker

What do I do if I run out of 2FA backup codes?

Last updated May 20, 2026Account & security

Backup codes on Valid Email Checker are one-shot. Each of the 10 codes you saved at setup time works exactly once — when you use one to sign in, our verify-2fa-totp function removes it from the stored set and saves the shortened list. After a few losses or forgotten authenticator events, that pool runs dry. The remaining-codes counter on the response (and on the sign-in success toast) tells you where you stand.

The regeneration steps

You cannot top up the existing pool — VEC only mints codes during a fresh 2FA setup. The clean way to get a new batch is:

  1. Sign in normally using your authenticator app.
  2. Open Account Settings → Security.
  3. Click Disable on the Google Authenticator row, type DISABLE (case-sensitive), confirm. Your TOTP secret is wiped.
  4. Immediately click Enable. Scan the new QR code with your authenticator. The app will replace the old VEC entry with the new one (or you can add it as a second entry and remove the old).
  5. On the confirmation screen, save the 10 fresh backup codes.

Why we don't expose a "regenerate codes" button

Rotating just the backup codes (without re-confirming the TOTP secret) would mean an attacker with a stolen session could mint themselves a fresh pool of one-time bypass codes without ever holding your phone. Tying regeneration to a full 2FA re-setup forces a real proof of control: only someone who can scan a QR code into your authenticator app gets the new batch.

Don't wait for empty to act

  • When you are down to 2-3 backup codes left, treat it as the cue to regenerate. The whole process is under two minutes and avoids the much worse situation of running out at the wrong moment.
  • If you use email 2FA without TOTP, the question doesn't apply — email 2FA doesn't issue backup codes. Each sign-in mints a fresh email code on demand.
  • Save the new batch the same day you generate it. The single biggest reason people end up emailing support@validemailchecker.com for manual 2FA recovery is "I generated codes, meant to save them later, never did."
Last-resort recovery
If you have no codes AND no authenticator access at the same time, contact support@validemailchecker.com from the email on your account. Manual identity verification will get you back in but takes longer than self-service regeneration.

Related questions

What are 2FA backup codes and how do I use them?
Where do I find my 2FA backup codes again after the initial setup?
How do I enable two-factor authentication (2FA) on my account?
I lost access to my authenticator app — how do I get back in?
Back to all FAQs

Still stuck? Email support