When setting up 2-factor authentication on GitHub, it generates recovery codes which you're supposed to store somewhere. My question is: if someone else gets access to those codes, do they have access to my account - or do they still need my password? I.e. are the recovery codes just a substitute for the code that would otherwise be sent by SMS?
The main point of two-factor authentication is that it adds the second layer of protection. You use not only the password but also the second factor - in your case it is an OTP. Recovery codes have the same functionality with the OTP, so they will be accepted only when the password is valid.