For multifactor authentication systems that make use of time-based OTPs and authenticator apps (such as Authy, Google Authenticator, etc), there needs to be a fallback mechanism in case the user loses their device. Some websites provide a set of recovery codes to the user at the time of setting up their MFA. How do these recovery codes work under the hood? How can a system like this be implemented?