Lots of confusion here about recovery codes and reset codes. OP is asking about the code you get *when you first setup something*. Reset codes you get in an email or whatever are not recovery codes, they’re something else. They’re actually a form of 2FA, OP is asking about the system behind 2FA apps.

The easy answer is – it’s hella-long. Passwords needing to be complex is actually false. A short password with letters numbers and symbols is borderline-infinitely easier to crack than a password made up of a few words.

Recovery codes are typically made up of several words, and anyone trying to crack this would die in the heat death of the universe before they were able to crack it.

(There’s also the fact that recovery codes can’t really be brute-forced, as brute forcing typically requires a local copy and local systems for speed. Recovery codes are much harder to do en-masse due to each attempt needing to be checked. Long story short, nobody is even attempting to crack a recovery code)

EDIT: Or wait lol am I the one getting mixed up here, are you talking about “I can’t get a 2FA code atm send me a recovery code” thing ? Yeah that’s just a case of, hopefully the attackers don’t also have access to the device you send the 2FA code to. Instead of having your login & password, they would also need access to your phone or email account. So it’s sacrificing ultimate security for convenience.