Updated May 12.
I ended up checking with support and here’s the situation.
- With no 2FA, anyone with the username and password can log in. There are no other checks. So this is perfect for me, since my password is long and random and not used anywhere else. My executor will be able to log in.
- If 2FA is enabled, then a recovery code is issued with the 2FA. That recovery code will disable and turn off 2FA. So, if 2FA is enabled, my executor only needs my username and password and the recovery code.
I feel a lot better about dying now! 
If you’ve got this explained somewhere, please just show me the link. I’m writing an article about doing an inventory of your digital assets for death or being disabled. One problem, is that if an executor has a list of all my assets, and all my usernames and passwords, and then tries to log into my accounts, there is a big obstacle. Most places send a code to my email. If 2fa is turned off, or it is turned on and your generated bypass code is used, can my executor, logging in from their computer and browser, access my email account if they have my username and password so they can close my accounts like banks and Stores and Streaming services and other services that send a one time pin to my email when another untrusted browser logs in?