[LaGrange]

...there are other 2fa methods that don't disable at least one "personal" factors, whether that's a password or using finger/face/whatever. Not that great against cops, but stands a chance against many abusers, recent exes and terrible flatmates. And the yubikey is, theoretically, worn on you. Are you going to carry around all the printouts?

[fierarul]

I'm having a hard time figuring out what kind of scenarios you are securing against.

The recovery code, just like the hardware 2fa, does not work unless you know the password. So you want to secure against people that live with you, know your password and from whom you cannot hide anything anywhere?

The printout is the size of a business card. You could put it in your Bible as a booksign an nobody would find them. Or if you want you could rot13 them or something basic so they can't be used as-is.

Actually, what are you suggesting instead? I'm genuinely curious what flawless solution you found.

[LaGrange]

The 2fa has to provide something more than a password to be worthwhile. If it's easily defeated by growing through my copy of Capital then it's not worthwhile. Finally, I don't have a single set of recovery codes, I have at least a dozen by now. By using recovery codes you've turned a somewhat harsh but sometimes-useful security scheme (for situations where loss of access is preferable to 3rd party access) into security theatre. Not that it matters, most services will "restore access" if you answer questions not just your flatmates but even an average doxxer will be able to find out.

Also no, you're not genuinely curious, you're trying to waste someone else's time.

[fierarul]

But nobody is forcing you to print or use your security codes. If you ignore then and your hardware key is broken/lost you are forever locked out. Which you mention is preferable, sometimes.

So, you are against things. What are you for?