What is the purpose of having 10 MFA Recovery Codes?

Question

When you enable MFA for many popular services they provide you with 10 recovery codes that will allow you to temporarily disable or update your MFA settings with their service in the event that your device is lost, stolen, or simply stops working.

But why do they generate 10 codes? It's counter-intuitive to me that there would be more than a single recovery code generated.

Is security not weakened by virtue of the fact that there are 10 codes, not one? If there's only one code the attacker must "guess" that particular code out of all possibilities. But if there's 10 codes then an attacker only needs to guess 1 of the 10 out of all the possibilities which I understand as a ten-fold increase in the probability of a successful attack.

Can anyone shed some light on the reasoning behind this?

Answer 1

The codes are normally one time use, so providing more than one is most likely a convenience to the end user. For example, maybe the user needs to login but doesn't have the chance to change their security settings until a later time. Or maybe there was an error in the login and now they are completely locked out if they didn't have additional codes.

Many of the services also email you when the backup keys are used, so you are instantly notified.

I would assume many of the services also take precautions to thwart brute force attempts, whether that be by rate limiting, lock outs, black listing or notifications to the account owner.

I remember reading about how the recovery keys are generated and saved, but I can not find the source now. From what I remember, there are like 1000, or maybe a lot more than that, pre generated recovery keys. They provide 10 for you to use that are active, and when one is used, it is no longer usable and now there are less available recovery keys over all (999).