As far as I can tell whenever I've seen TFA/MFA paired with recovery codes, its quite evident recovery codes are only shown for one page load.
After which they are never visible to any party and can only be used programmatically to restore access.
Users typically can completely regenerate recovery codes.
Never show recovery codes, or
Add configuration to opt in to allowing recovery codes to be shown so long as currentUser is the same as the recovery code user.
Decide on approach
Recovery codes are not visible.
User can only regenerate recovery codes.
Form/controller changes
Optionally config/schema/upgrade path depending on approach.
Active
2.0
Code
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.
I still think that the default being TRUE would be easier for us maintainers, but I don't truly care about that. The one thing should be that the update hook for existing installations should leave it as TRUE, so as to not suddenly change running sites. However, the release that contains this should warn site admins to change the setting, in order to have better security.