One of the great benefits of this module is that it provides secure login also for web sites that does not have their own SSL security certificate. In these cases, the user logs in with a password that every time is sent openly across the internet. The security lies in that the TOTP codes or Recovery Codes or SMS are only valid once, but especially; is SENT securely to the user before usage.
Therefore, I suggest providing an option to enforce sending new Recovery codes through email instead of showing them on-screen, IF/WHEN the TFA page is served over HTTP (not SSL).
Even if that email is also sent openly, at least it is sent openly from a different IP/cookie source (the server), and to an email that is more probably behind SSL so that the codes cannot easily be intercepted.
Should not serve the list of Recovery codes over insecure connection.
Active
2.0
Code
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.
With D7 EOL approaching moving to 2.x for consideration.
I do have concerns about sending via email as they may retain a long-term copy and progress through multiple intermediaries.
I can agree only transmission over HTTPS would be ideal, though perhaps that may be better left to another module/site configuration, especially now that modern SSL practices indicate that HTTPS over the open web may always be the case for some environments.