So this means that if I use an Incognito/Private browser (as I always do), then I have one and only one opportunity to get a new recovery code (or to set up a new 2FA method) if I use the recovery code. This increases my risk of losing account access permanently (e.g., if I have lost access to my email, and the post-recovery login session terminates before I was able to get the new recovery code).
Furthermore, the implication that “new device verification” will not be required on “recognized” devices raises the question of whether Bitwarden will now automatically enable the “Remember Me” option whenever 2FA is enabled. Is this correct? That seems like a reduction in security.
I understand the impetus for wanting to make 2FA mandatory for new users (and for old users who never enabled 2FA), but I think that the 2FA requirement should be relaxed when the recovery code is used — i.e., 2FA should not be automatically re-enabled in that scenario (a click-through warning message would be sufficient).