Comment 8 for bug 938589

I'll close this bug - we have the option of generating paper backup devices and will soon do this on 2FA enablement so it will take deliberate action from people to NOT have a recovery device, and we're implementing measures to periodically check the backup device is current and active to reduce the chance of people generating and then forgetting about their backup codes.

We can NOT email or SMS recovery codes since an email compromise (with which an attacker can request a password reset) is precisely the thing 2FA is designed to protect against, and SMS is subject to phone number hijacking.