[greggsy]

The app is ‘something you have’, which you can only use after you authenticate into your phone with ‘something you are’ (biometrics), or ‘something you know’ (a PIN/passphrase).

I’m fairly sure the app does require you to enter a password after a set period or reboot - exactly like apple’s iCloud implementation (which IMO, is pretty good, or at least good enough for most individuals’ use cases).

Things are getting a bit confused lately though, as some models require that factors can’t exist on the same device, and there’s questions around keeping physical (‘have’)factors separated for different accounts and functions.