ValidEmailChecker

Where do I find my 2FA backup codes again after the initial setup?

Last updated May 20, 2026Account & security

If you enabled authenticator-app 2FA on Valid Email Checker and now want to see your backup codes again, the honest answer is that we do not show them again. They surface exactly once, on the green confirmation screen at the end of the 2FA setup flow, and after you click past that page they cannot be retrieved through the dashboard. This is deliberate — anything we could re-display, an attacker who hijacks a logged-in session could also re-display.

How the codes are stored on our side

When you finish setup, our setup-2fa-totp function generates 10 backup codes (10 hex characters each), shows them to you in plaintext one time, and persists the same set into user_2fa_settings.backup_codes_encrypted. When you later use a backup code at sign-in, we hash your input and compare it to that stored set. We never store the plaintext outside the response that went to your browser at setup time, and we cannot decode the stored values to show them again.

What to do if you have no record of your codes

There is a clean recovery path as long as you still have access to your authenticator app:

  1. Open Account Settings → Security.
  2. Click Disable on the Google Authenticator row, type DISABLE (case-sensitive) in the confirmation field, and confirm. Your TOTP secret is wiped from user_2fa_settings.
  3. Immediately click Enable on the same row. Scan the fresh QR code with your authenticator and complete the setup again.
  4. On the final confirmation screen, a brand-new set of 10 backup codes appears. Save them this time — into a password manager, a printed sheet in a safe place, or both.

If you have no codes AND no authenticator access

This is the hard case — you cannot sign in to disable 2FA because you have no authenticator and no backup code. Email support@validemailchecker.com from the email address on your account. We verify identity manually (signup metadata, billing history, recent verification activity) before clearing 2FA. The process is intentionally slow because a fast lane here would be an attacker's lane too. The whole story lives in what if I lose my authenticator.

One-time display is by design
Every legitimate user benefits from the one-time-display rule because it raises the cost of session theft. Save the codes the first time and the rest of the policy disappears into the background.

Related questions

What are 2FA backup codes and how do I use them?
What do I do if I run out of 2FA backup codes?
How do I enable two-factor authentication (2FA) on my account?
I lost access to my authenticator app — how do I get back in?
Back to all FAQs

Still stuck? Email support