It's a truism that secure things are secure. But engineers make mistakes and that's why you need layers of defense. And when you use recovery codes that are in the realm that can be brute forced you automatically have a problem when rate limiting or other anti-brute force measures fail. Which is why using stronger 2factor codes should be the default, especially for super high impact things like password recovery.
> And honestly, is having to type 12 characters such a burden for the exceptional case of a password reset? I don't think so.
If those "engineers" need minimum of 26 characters 1-time use passwords that can only be used one time to feel secure, I don't trust those engineers (unless they allow me to copy and paste it).
A one-time-use 6 digit password that can only be tried once is pretty damn secure if it is random.
