The point is to block unauthorized access. It is not less than useless. It absolutely does that. You really think if your lost your token Amazon would lock you out forever? Wrong assumption
FWIW, at a workplace I'm familiar with, the hardware MFA devices for a group 'disappeared' from the office during COVID and despite the company having an active relationship and contracts with AWS, it was taking over a year to get access to the root accounts in question reset. It is not an easy process.
That said, I have to imagine this is the wrong procedure and there's some way to duplicate hardware MFA devices to have redundancy for such a case...
Besides, just use AUTHY if that's your concern