Those backup keys defeat the entire purpose of 2FA and are like storing passwords in plain text. It only takes 1, maybe 2 of those codes for an attacker to add another security key to your account for future unlimited access.
Supporting multiple keys is a good idea but it solves a different problem. People want peace of mind.
Backup codes are not like passwords in at least two important ways:
* The site picks them, not you, so they're random nonsense different for each code, rather than inevitably being password1234 and being the same on Instagram, Twitter and your bank account.
* You don't need them usually, so there's no reason you'll have them to hand, which then makes it harder to steal them. Even for a social engineering attack, you increase the friction because now to help the attackers a user needs to go find their backup keys which is a hassle.
I think the parent’s point is that if you’re going to allow backup codes you might as well just add “second password” as a form of 2FA and enforce some basic complexity requirements.
