Most implementations throw about 20 "recovery codes" at you and at the absolute fucking worst possible moment while the user is trying to do something urgent, they say "save these in a secure place right now".

It's not 1, but 20 passwords that ALL give access to your account. Where do you think those codes go?

They are not only phishable, but they usually end up in a Google doc, screenshotted and pasted to Notion, or some other insecure place.