They are tied to the phone, at least for Google Authenticator, if you do an iCloud backup. This is a security flag the app has set on the database file. If you do a local, encrypted backup the codes can be restored. Alternatively you can use a client like Authy that also allows you to sync them with your other devices (encrypted ofcourse).