[DogLover_]

The problem with backup codes is that many people don't understand how crucial they are if they loose their device. Even IT people. I believe it is a step many skips because they falsely believe they can get access in some other way if necessary.

That it has become standard makes me think the inventors/providers have not thought it through.

[warner25]

I'll admit to being an IT person who didn't understand how they worked for a whole year after I first set them up on my Google account. I seriously thought that they were one-time passwords by themselves. About a year later, I decided to test my disaster recovery plan and found that I also needed to have my Google password memorized; I couldn't depend on retrieving it from my KeePass database stored in Google Drive. In retrospect, yes I was stupid, but this honestly wasn't clear to me at first.