miketheman
commented
10 months ago @tarekziade Thanks for inquiring!
One of the key features of the recovery codes is to not lose them. Treat them like exactly what they are - recovery codes. In the catastrophic event that the user has lost their 2FA method, account recovery codes are there to help. Losing them doesn't accomplish the goal.
However, if you're thinking of other account recovery processes, happy to hear a proposal!
Would it be possible to implement a password reset process for users that are locked out of their 2FA with recovery codes lost? Right now the manual recovery process takes several months which can be problematic if you need to update a package that has a security issue.
GH uses SSH keys, or previously used devices techniques, see https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/recovering-your-account-if-you-lose-your-2fa-credentials#requesting-help-with-two-factor-authentication
Happy to help implementing something, or contributing in any way Thanks
Originally posted by @tarekziade in https://github.com/pypi/warehouse/issues/14010#issuecomment-1869508976