Microsoft thinks it is fine for most user's threat models because these use two stacked layers of encryption: your Microsoft account and either Apple's cloud backup encryptions or Google's. To move these codes between devices you have to login in both your Microsoft account and also your Apple or Google account in quick succession. I know on Apple devices it works in the same (iCloud) backup layer that disables other device keys so doing this on a new device will "break" access on the previous device (only one device at a time has access). (I'm not sure about Google's ecosystem.) You can't easily switch ecosystems with this. Microsoft seems to think it unlikely enough that both your Microsoft account and your device ecosystem account will be compromised at the same time that there is enough security in this depth.