I have three accounts and five computers and I don't find the once-a-month 6-digit number to be a big deal. PayPal does annoy me with their policy of requring an OTP seemingly every time you visit a page, but it's worth it because I know that I don't have to have a super-amazing password to stay safe. Ultimately, the work required to recover from a compromised account is much higher than it is to type a 6-digit number every month, so I consider it a good trade-off.
In my case, the number always seems to expire when my token is far away. So another way of alleviating this would be to have a three day grace period where you're prompted with the option of refreshing your credentials, but you don't have to.
I'm thinking more like, I wake up and want to check my mail from bed, but -- surprise! -- it's expiration day, and my OTP token is downstairs. And using a single recovery code immeditalely invalidates your electronic token, logging you out everywhere and forcing you to go through the activation process all over again before you can log back in.
It would be nice to choose the level of security you think you can afford on the security-inconvenience tradeoff curve. Especially since it is likely to increase the takeup rate.
Typing a six digit number once adds a significant layer of security to a very important account.
Having to type it every 31 days (per browser, per device, per account) adds very little marginal security. In fact, in my case it actively hampers security, because it keeps me from using two-factor altogether.
