Recovery codes allow to configure "Warning threshold" . This is the number of recovery codes, which signals to the user in the account console that it has small amount of recovery codes remaining and hence he should refresh his recovery codes. It is 4 by default, so warning is displayed to the user in the account console when he has 3 or less remaining recovery codes.

The problem is, that this is configurable as a password policy. This is certainly not correct as "password policies" are used for passwords. Using them for anything related to recovery codes is a workaround.

There was not possibility to have configurable required actions when recovery-codes were introduced. But now configurable required actions are possible. So I wonder if configuration of recovery-codes required action could be used for this instead of password policy? If yes, we can deprecate password policy and schedule it for removal in future majore version (likely Keycloak 27).