Backup Codes and Back Doors

I’m on a mailing list where someone sent this email:

In the case of lost phone that has been setup for 2FA with services such as Gmail and Slack, a set of backup codes to bypass 2FA [is created] to sign in. It sounds like an insecure backdoor to me. Wonder what the community thinks about the implementation.

Like all “is this system secure?” questions, the answer is the follow-up question “against what?”.

These are example backup codes. Not mine.

Service: Congrats, you’re enrolled in two-factor! Please take this arbitrary text and store it somewhere, securely and indefinitely.

User: Ugh, I’m on my phone and that sounds like a hassle. I’ll do it later.

[time elapses]

User: I dropped my phone in the toilet and I don’t have a login code! Why won’t you let me in?

Service: No problem — please provide a backup code.

User: A what?

When passwords are compromised, we recommended two-factor authentication wholeheartedly. We imply that it is costless. But in doing so, we presume people can manage backup codes, which would imply that they could manage strong passwords, which would imply that two-factor would have limited efficacy. We are asking people to trade the “I can’t manage strong passwords” problem for the “I can’t access my account” problem.

Security for the people.