Delivering recovery codes to users' inboxes in plaintext is a security weakness. Instead, a one time link should be delivered to users' inboxes, through which they can visit a page on the site that will show them their recovery code only once. After leaving that page, it is up to the user to have stored the recovery code in a safe place.
Delivering recovery codes to users' inboxes in plaintext is a security weakness. Instead, a one time link should be delivered to users' inboxes, through which they can visit a page on the site that will show them their recovery code only once. After leaving that page, it is up to the user to have stored the recovery code in a safe place.