I believe the reason PayPal doesn't provide backup codes is their 2FA implementation allows PayPal to access the account if necessary (presumably in emergency situations). A full hardcore lockout 2FA implementation would risk users (and their beneficiaries, in case of death) losing access to their funds if they lost their 2FA, which I think would be extremely problematic from a UX and perhaps even a regulatory standpoint. From my observation no (US-based) conventional financial provider has absolute 2FA lockout implemented either. Of course, it would be nice for PayPal to state this explicitly, but it is what it is. FWIW the app based TOTP implementation is better than that of most financial institutions who send 2FA codes in the clear over SMS or email.
... View more