The point of Two Factor is that it *utterly* precludes replay attacks and regular password theft. Yes, you do have a recovery code which permits you to re-set your 2FA device/app, but that code is never transmitted over the wire, so it’s far, far more difficult to capture and decrypt.