Our Development and UAT environments require local login with MFA. We have a clone preserver setup for the user_multifactor_auth table and during our last upgrade to San Diego we cloned our DEV and UAT environments.

Post clone, we could log into the instances with our pre-clone DEV and UAT MFA codes from our authenticator apps fine. For an unrelated reason we needed to clone our UAT environment again (several update sets committed in error) and after this second clone (a few days after the initial clone) no-one was able to login using their MFA codes and we were effectively locked out of the instance.  

Luckily we had a clean up script that re-enables our email, and sends them to a shared email account so we were able to get a temporary MFA code (For accounts that had an email, because you don't get that option if your account doesn't have one!)

While troubleshooting we discovered that clicking the 'Receive a code via email' link, brings the old codes back to life. You don't have to use the code that was sent to the email. I also have a suspicion that an account that is locked out and then unlocked also brings them back, but I haven't thoroughly tested this as once the codes are working I have to find another user that had pre-clone MFA codes setup to test with.

I raised a case with the now Support but got nowhere. They suggested re-cloning, resetting the 'Enable multi-factor authentication' flag on the user profile or using the 'Receive a code via email' link, but these are all workarounds. Posting to see if anyone else has come across this.