The two factor authentication screen very clearly says that you should store your recovery codes safely. If your friend did not backup their two factor authentication app and only had the recovery codes on the phone with that authenticator app, then your friend did not store the codes safely.
I hope that your friend learned from this that backups are important. Because like I wrote in the post linked by @JavesPotato , if you have two factor authentication enabled, you must have either the authenticator app or a valid recovery code to login.