2FA backup / recovery codes theft — attacker asks the user to submit / enter / reply with their 2FA backup codes (the one-time codes users save when setting up 2FA for use when they lose their authenticator). Legitimate services DISPLAY backup codes to the user for saving; they NEVER ask the user to type codes back into anything, making "enter your backup codes at the verification page" / "reply with your 8 codes" a near-perfect attacker fingerprint. Harvested backup codes let the attacker bypass 2FA INDEFINITELY, even after a password change. Real precedents: Coinbase 2020 backup-code breach, Google 2023 phishing wave, ongoing Microsoft / Apple / Coinbase / Binance impersonation. Distinct from fido-passkey-downgrade-lure (passkey → password fallback), fake-password-manager-master-breach-lure (vault key harvest), fake-mobile-carrier-sim-swap-approval-lure (SMS takeover)

2FA backup / recovery code theft via credential-solicitation phishing. The attack targets the one-time backup codes users save when setting up 2-factor authentication — the codes intended specifically for emergency use when they lose access to their authenticator device. Harvested backup codes let the attacker bypass 2FA INDEFINITELY, even after the victim changes their password, because backup codes remain valid until explicitly rotated. The narrative: "to maintain access to your Google Account / Microsoft account / Coinbase account, please enter your 8 backup codes at the verification page" or "reply with your 10 recovery codes to re-verify" or "your backup codes have been invalidated — submit your current codes to re-generate." The distinguishing fingerprint is the solicitation verb: NO legitimate service EVER asks a user to submit / enter / reply with their backup codes. Real backup-code emails DISPLAY the codes to the user for saving; they don't ask the user to type codes back into anything. Any email that asks for your backup codes via email or a web form is, by construction, a phish. Real precedents: Coinbase 2020 backup-code harvest breach (attackers used harvested recovery codes to bypass 2FA on compromised accounts), Google 2023 phishing wave ("re-verify your 8-digit backup codes"), and ongoing Microsoft / Apple / Coinbase / Binance impersonation campaigns tracked by KnowBe4 and SANS awareness-training programs. Distinct from `fido-passkey-downgrade-lure` (which pressures fallback from passkey to weaker 2FA like SMS), `fake-password-manager-master-breach-lure` (which harvests the vault master password), and `fake-mobile-carrier-sim-swap-approval-lure` (which takes over the SIM for SMS-code interception). Those attacks target different credential layers; this one specifically targets the 2FA backup-code recovery path that remains valid independent of password changes. Defense: save your backup codes offline in a secure location (printed, safe, password manager with separate master), never enter them anywhere except directly on the real service's real 2FA-setup page, and rotate them immediately if you ever suspect compromise.