Right now, 2FA is half-baked. You can enable it and it gives you a link to sync it to an authenticator app, which only works on mobile. But there’s no confirmation required to enable it, so you may think it’s working with your code but it doesn’t take. This will lock people out of accounts.
It really should be disabled until it’s fully fleshed out. In the meantime, give us the option to send 2FA codes to the verified email on file.
UPDATE: Read this post here: https://lemmy.sdf.org/post/405431
It’s clear that the Lemmy implementation of 2FA is flawed as it a) doesn’t work with all authenticator apps, and b) doesn’t verify the code is working before it enables 2FA on the account.
It needs to be disabled until this is fixed.
In iOS, the activation of 2FA is an automated process, eliminating the need for a separate 2FA code to confirm its enablement.
I agree with your observation regarding the unavailability of backup codes for download.