Optional disable backup codes for 2FA

I propose 2FA optionally use ONLY the phone or google authentication app for 2FA because some various github repositories exist which show (and make accessible) the ability to steal account tokens (and 2fa backup codes) which cannot be otherwise protected from without the ability to outright disable their usage. Id rather not explicitly drop a link here but if requested by a dev/mod Id be happy to for evidence purposes.