[jsnell]

It's not a two-factor code like you're thinking of. That code is shown on the sign-in / account recovery page, to whoever making that attempt. Then the same value has to be chosen on the mobile device that's being used to authenticate that sign-in.

The goal isn't to protect against phishing or social engineering, but against people accidentally approving a sign-in they didn't initiate.

[joshuamorton]

(specifically, there are "credential stuffing" style sign-in attacks where an attacker logs in "suspiciously" at the same time as a legit log in, possibly after forcing a log-out, hoping you approve both your log in and theirs when you get two, or ten pop-ups)