When you enable two-factor authentication on your Mastodon account, the system generates a set of backup codes. These single-use codes let you sign in if you lose access to your authenticator app or hardware token. Without them, you can be permanently locked out of your account if your 2FA device fails. This article explains how to regenerate your backup codes and what to do if you have lost them.
Mastodon stores backup codes only during the initial 2FA setup. The platform does not display them again unless you explicitly regenerate them. If you have already used all your codes or misplaced the original list, you must create a new set to maintain account access. The process takes less than one minute and requires your current 2FA method to confirm your identity.
This guide covers the exact steps for regenerating backup codes on both the web interface and the official Mastodon mobile app. It also explains the security implications of regenerating codes and how to store them safely.
Key Takeaways: Regenerating Mastodon 2FA Backup Codes
- Preferences > Account > Two-factor Authentication: Access the page where backup codes are generated and regenerated.
- Regenerate codes button: Invalidates all previous backup codes and creates a fresh set of ten single-use codes.
- Store codes offline: Save the regenerated codes in a password manager or on paper. Do not store them in your email or cloud drive without encryption.
How Mastodon Backup Codes Work and When to Regenerate Them
Mastodon backup codes are ten random alphanumeric strings, each valid for one sign-in attempt. When you enter a backup code during login, the system marks it as used. After all ten codes are consumed, you cannot sign in using backup codes unless you regenerate them. The same applies if you lose the original list before using any codes.
Regeneration is necessary in the following situations:
- You have used all ten backup codes and need a fresh set.
- You lost the paper or file where you stored the codes.
- You suspect someone else obtained your backup codes and might use them to access your account.
- You are switching to a new authenticator app and want to invalidate codes that were generated under the old setup.
Regenerating codes does not disable your current two-factor authentication. It only replaces the backup code list. Your existing authenticator app or hardware token continues to work normally. The old codes become invalid the moment you confirm the regeneration.
Steps to Regenerate Backup Codes on the Mastodon Web Interface
- Sign in to your Mastodon account
Open your instance URL in a browser and log in with your email and password. Complete the two-factor authentication prompt using your authenticator app or a backup code if you still have one. - Open Preferences
Click the gear icon in the right sidebar or select Preferences from the user menu in the top navigation bar. The Preferences page loads. - Go to Account settings
In the left navigation pane, click Account. This opens the main account settings page. - Locate the Two-factor Authentication section
Scroll down until you see the heading Two-factor Authentication. Below this heading you will see your current 2FA method listed, such as an authenticator app or security key. - Click the Regenerate codes link
Below your 2FA method, click the link labeled Regenerate codes. A confirmation dialog appears warning that regenerating codes will invalidate all existing backup codes. - Confirm the action
Enter your current Mastodon password to confirm your identity. Then click the Regenerate button. The page refreshes and displays a new set of ten backup codes. - Copy and store the new codes
Click the Copy button to copy all codes to your clipboard. Paste them into a password manager, a secure note, or print them and store the paper in a safe place. Do not leave them in your clipboard after pasting.
Steps to Regenerate Backup Codes on the Mastodon Mobile App
- Open the Mastodon app and sign in
Launch the official Mastodon app on your iOS or Android device. Log in to your account and complete the two-factor authentication prompt. - Navigate to Preferences
Tap the profile icon in the bottom navigation bar to open your profile page. Tap the gear icon in the top right corner to open Preferences. - Select Account
In the Preferences list, tap Account. Scroll down to the Two-factor Authentication section. - Tap Regenerate codes
Below your current 2FA method, tap the Regenerate codes link. A confirmation screen appears. - Confirm with your password
Enter your Mastodon password and tap Regenerate. The app generates a new list of ten backup codes. - Copy and save the codes
Tap Copy to copy the codes to your device clipboard. Immediately paste them into a secure storage app. On Android, you can also tap the share icon to send the codes to a password manager directly.
Common Mistakes When Using Backup Codes
Storing codes in plain text in email or cloud storage
If you email the backup codes to yourself or save them in a cloud drive without encryption, anyone who gains access to that account can sign in as you. Use an encrypted password manager or write the codes on paper and store them in a locked drawer.
Regenerating codes without invalidating the old set
When you regenerate codes, Mastodon invalidates the previous set automatically. You do not need to manually delete or revoke anything. However, if you regenerated codes by mistake, the old codes are gone permanently. You cannot recover them.
Using a backup code while the authenticator app is still available
A backup code uses up one of your ten slots even if you still have access to your authenticator app. Only use a backup code when you cannot complete the normal 2FA prompt. To preserve codes for emergencies, always use your authenticator app for routine sign-ins.
Not testing a backup code after regeneration
After regenerating codes, sign out of your account and try signing in using one of the new backup codes. This confirms the codes work and that you copied them correctly. If the code fails, regenerate again and repeat the test before storing the list.
Mastodon Backup Codes: Web Interface vs Mobile App
| Item | Web Interface | Mobile App |
|---|---|---|
| Access path | Preferences > Account > Two-factor Authentication | Profile > Preferences > Account > Two-factor Authentication |
| Regenerate button location | Link below the 2FA method | Link below the 2FA method |
| Confirmation method | Enter Mastodon password | Enter Mastodon password |
| Code output | Displayed on screen after confirmation | Displayed on screen after confirmation |
| Copy mechanism | Copy button copies all codes to clipboard | Copy button copies all codes to clipboard; share icon available on Android |
| Old codes invalidated | Immediately upon regeneration | Immediately upon regeneration |
You can now regenerate your Mastodon 2FA backup codes using either the web interface or the mobile app. After regeneration, store the new codes in a password manager or write them down and keep them in a secure physical location. Test one code immediately to confirm the list works. As an advanced precaution, rotate your backup codes every six months even if you have not used any of them.