The point of it is that unlike your password, it is auto-generated, long, much more random, and you don’t use it day to day (ideally it’s not even stored on any of your devices, but on paper, printed). This means it won’t be easily stolen by e.g. a keylogger or a phishing attempt.

It’s also a different “factor”. It’s in the “something you have” category, rather than the “something you know”.

Lots of confusion here about recovery codes and reset codes. OP is asking about the code you get *when you first setup something*. Reset codes you get in an email or whatever are not recovery codes, they’re something else. They’re actually a form of 2FA, OP is asking about the system behind 2FA apps.

The easy answer is – it’s hella-long. Passwords needing to be complex is actually false. A short password with letters numbers and symbols is borderline-infinitely easier to crack than a password made up of a few words.

Recovery codes are typically made up of several words, and anyone trying to crack this would die in the heat death of the universe before they were able to crack it.

(There’s also the fact that recovery codes can’t really be brute-forced, as brute forcing typically requires a local copy and local systems for speed. Recovery codes are much harder to do en-masse due to each attempt needing to be checked. Long story short, nobody is even attempting to crack a recovery code)

EDIT: Or wait lol am I the one getting mixed up here, are you talking about “I can’t get a 2FA code atm send me a recovery code” thing ? Yeah that’s just a case of, hopefully the attackers don’t also have access to the device you send the 2FA code to. Instead of having your login & password, they would also need access to your phone or email account. So it’s sacrificing ultimate security for convenience.

This isn’t a technology issue, it’s a human issue if the 2FA device is lost. The system is not the problem.

2FA protects against a range of password attacks, but is obviously dependant on your ability to authenticate with this 2nd factor, meaning 2FA also adds a new, previously not present, risk.

The recovery code is to reduce this new risk so you can perform authentication without MFA in exceptional circumstances

How is this different from normal password authentication?

If implemented correctly (There is no guarantee):

First of all you can not choose recovery codes as you choose a password. The recovery code is generated for you so it is unique, limiting exposure only to that specific application/service. They can also only be used once.

Secondly, this is not the normal authentication flow and authentication with recovery codes is monitored extensively.Very often there are additional restrictions in place, such as no possibility to change key account information, etc…If misuse is detected, preventive actions are taken to protect you.

it also depends on the quality of the recovery password

in our case the btit locker password is 32 long and contains roughly 25% of each: upper case letters, lowercase letters numbers, and symbols and us rotated every time somebody uses it. or 90 days when it comes due.

and only it has this and you generally need to be physically have them type it in.

“100% guaranteed secure” is an unsolvable problem. When perfect is impossible the only sane goal is to get as close as you can to perfect; so “50% secure” is considered better than “49% secure” (if you don’t take other things, like cost or convenience, into account).

**”2FA + 1FA recovery” is slightly more secure (than “1FA + 1FA recovery”) because you’re not using 1FA as often.**

“2FA + 2FA recovery” would be more secure, and “99FA + 55FA recovery” would be even more secure. However, if you do take things like cost and convenience into account, “more secure” does not imply “better”. This is trivial to prove by making it literally impossible for anyone to log in (which is extremely close to “100% secure” and also extremely useless).

2FA is a stupid attempt to look more secure and nothing more.

In theory it means the bad guys can’t listen and figure out your password.

In practice it means you can’t change devices, numbers or email addresses ever and you have to run to the other end of the house or call your wife to log in.