Thank you, I didn't know this, and it was something I was judging against CF for years. It makes me a little uncomfortable though that there aren't any offline recovery codes in the event the TOTP device is lost/stolen/etc
EDIT: as pointed out below, there is one briefly on the QR dialog, it's not a separate sheet you generate/download like GitHub/Google/etc
Be careful using 2FA on CF. I got locked out of my account because I reformatted my phone and hadn't kept backup codes. That's my fault, not CF's. They wouldn't accept email verification or uploading a html file to the root of my domains to grant access.
But here's the kicker: Cloudflare were happy to grant access if I could recall some previous name server history for some of my domains. Information that is in the public domain and can be purchased as a report.
"Your second-factor backup code is 'blah'. This can be used for manual setup, and is necessary to recover your account in case your mobile phone is lost or stolen."
EDIT: as pointed out below, there is one briefly on the QR dialog, it's not a separate sheet you generate/download like GitHub/Google/etc