This is correct and by design. Two factor authentication stores its settings in the #__users table, encrypted. The encryption key is your site's secret key, stored in configuration.php. When transferring your site the secret key changes per Joomla's best security practices. This means that 2FA becomes invalid in the transferred site.
I was against the encryption of the 2FA configuration information because, frankly, it makes no sense whatsoever (the key to decrypt them is already present in memory, meaning that in the event of an arbitrary code execution vulnerability the settings can be trivially decrypted). Unfortunately the Joomla! Production Leadership Team would NOT listen to me, insisting that 2FA settings have to be encrypted. The end result is that if you transfer a site you have to disable 2FA (bad for security) or you need to edit configuration.php and set $secret to the same value as the original site (bad for security). I'm sorry, I tried to prevent that, but in the end of the day I can't fix the fact that stupid people have the final say in what goes into Joomla! :(
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!