But unlike your original birth certificate and your social security card, you can keep an arbitrary number of copies of your backup codes in an arbitrary number of safe caches.
But what if I did't do any of those things? What if I made a mistake and didn't save my backup codes on 3 different types of storage medium (at least one of them offsite)?
Certainly, if you construct enough postulates, you can wind up in some funny places. If you forget your cash, is a shop obligated to give you the goods for free? What if you fail to read the sign in the car saying "NO LOBSTERS" and you have your crustacean for a walk?
What if you made a new Uber account with another email address? Would you be committing a venal sin?
Your actual sin, non-venal, was not naming the thread either "I love reductive argument ad absurdiam" or "Uber needs a real human on the helpdesk, this is why"
> What if you made a new Uber account with another email address? Would you be committing a venal sin?
Uber accounts are tied to phone numbers. Should I get a new phone number just because Uber's support bot is incapable of helping me recover my account?
So you're hitting upon an actual problem that we encounter often in the tech age. It turns out there's a whole category of users who have this problem: users who have no secure place to store secondary data. In other words: the homeless.
They have access to the Internet at libraries and as more and more of the world goes on line, that access becomes more and more necessary. But they don't necessarily have a wallet (let alone a safe) to store passwords and 2FA tokens, and when they lose them it's a major issue.
This is a known problem but (as with so many issues in marginalized communities), the challenge to solving it is that it will make the system worse for everyone (including them) if we relax 2FA requirements; hackers can crack passwords on, and impersonate, the homeless just as easily as everyone else.
(The best idea I've actually heard in this space is for librarians to be willing to serve as data repositories for their local unhoused patrons. They are onsite enough and have enough face-to-face interaction to be able to spot-auth someone because they know them by name. But there's a massive liability concern about the library becoming a target for identity theft that keeps most places from considering it).
You can always just fix it now as long as you have anything that works now.
You don't need the annoying one-time-use backup codes either, you can save and copy and reuse the original seed value just like any other secret. Or generate a new one now and save that, if your current single copy is not in software that provides a means of export.
The seed value is just another password. You can have any number of copies of it in any number of forms from a text file to printed in a safe deposit box. You can have any number of working copies of it on any number of different devices, all at the same time.
If you are in another country with nothing but your head, you can buy a new device, use it to access a copy of your secrets by any means you want, install software fresh, load your seed values, and regain all your totp.
You will need a way to access your secrets without totp. This can be anything, a paper copy, a sd card, an online service that you can access with only a password or that can be recovered, a phone call to a family member who you can tell how to access something and read it to you, whatever, it's just some text you have to stick somewhere and get back to later.
And if you don't have either the one time codes or the original seed value (from the original qr code or url) but you have an app that works right now, you can go redo it and this time save the seed value.
There is really no danger from totp EXCEPT the fact that most common apps and web sites obfuscate what's actually going on, and don't tell you to save the seed value, and instead give you these one time use codes. That creates a danger where there wasn't any.
Ideally, for proper security one should not do the convenient thing and store both the normal logn and the totp seed value in the same place, but for instance keepass can store everything and not only store the seed value but also display the current totp code to use for logging in.
All your 12 different copies of your keepass db file are all fully functional totp generators, and all you have to do is just load that db on any new device.
Harsh but let this be a lesson to set up a more resilient structure for yourself moving forward. Anyone can make mistakes. You can set up failsafes for your own ones pre-emptively.
"2FA is garbage" is not the right lesson to learn here...
