Citation? Are you conflating losing access to your iCloud account with a remote-wipe? I’ve used devices which had synced passkeys when iCloud was disabled (MDM gaffe) or unavailable due to a password change, and the credentials which had already been synced continued to work without issue.

I agree that storing recovery codes is a pain point, but they're fundamentally different from passwords in that you don't need to use them for each login. That allows you to put them in cold storage, whether that's an encrypted flash drive, a piece of paper, a box buried in your back yard, or whatever else you want. Doing the same thing for information you need on each login would be ridiculous, but for a once-in-a-blue-moon recovery situation, the lack of convenient access is fine.

> Yes, less secure because availability is part of security.

This is too often forgotten. Availability is a fundamental part of security and must be part of every threat model.

And your threat model needs to be matched with what it is being protected. One size does not fit all.

For example to log in to my brokerage account, I may be ok with a solution where I might lock myself out and have to go to a physical branch to restore access. Because while that would be a pain, it's better than having my life savings stolen.

But to log in to, say, facebook? Availability and convenience is #1 above all, it's just cat videos and other extremely low value stuff so it's not worth any inconvenience.

That could work, assuming your usual file backup methods are secure enough and it doesn't create a circular dependency.