how to do develop recover code？

@wuxiuhong, In my web application, I create recovery codes just by randomly generating them using cryptographically strong random generator like openssl_random_pseudo_bytes() and then securely hash them like I do with passwords and then store it in database with the user. The plain text (not the hash) of it I give to the user.

Pitfall: you can show the code to the user only one. If he loses it, he must get a new code. (Like with passwords)