Thanks for explaining! I was mainly curious what viable alternatives there would be for the average user, and I think your suggestions are sound. Even technical folks wants things to feel as frictionless as possible.
The nice thing about recovery codes is being able to store them securely in a password manager alongside any other entries for the service.
The downside is they're easy to leak (or lose), so the added factors in requiring access to email (also with its own 2FA) are lost in a system like this, if whatever you're managing is mission critical. I wouldn't want to make that kind of bet, personally.
I get it, that's why I advocate letting users choose. Especially with a technical audience, treating them like they can't be trusted to make mission critical choices is not good.
The nice thing about recovery codes is being able to store them securely in a password manager alongside any other entries for the service.
The downside is they're easy to leak (or lose), so the added factors in requiring access to email (also with its own 2FA) are lost in a system like this, if whatever you're managing is mission critical. I wouldn't want to make that kind of bet, personally.