[jaywalk]

> I don't understand why authentication usually requires you to type in some 6-digit number from your phone.

Because it proves that the user logging in is in control of a device that they've linked to the account. When you add an account to whatever app you're using (Google Authenticator, Authy, etc.) what it's actually doing is receiving a cryptographic key that it uses to generate the 6 digit code based on the current time. Without that key, the proper 6 digit code can't be generated.

[overeater]

I think the procedure I described also can do this, but the 6-digit code is sent in the background. I don't see why a human has to physically write out 6 digits from phone to computer, instead of it just happening automatically.

I main difference here is usability. The current process is going into an app, finding+choosing the website from a list, tapping that website, manually copying from one screen to another, checking that you copied the digits correctly, then confirming. This is stressful and takes about a minute. A process where you just confirm a dialog, or use your fingerprint takes 2 seconds, and doesn't require the mental effort of memorizing and writing out 6 digits. If the people working on security can't see the enormous difference between the two workflows, then this is hopeless.

It's the same issue that plagues the security-minded people who think regular users will go around copying and storing each others' PGP keys.