Why is it that some services, when they conduct 2FA ask you to rewrite a code from an app, even if that app is part of that service’s infrastructure? For example, when I log in via the web to messenger, as part of 2FA the messenger app on my phone not only asks for consent, but also shows a code that needs to be rewritten for the web service.

What additional security does this code introduce over just giving consent in the app? The icloud login works similarly, and a different approach is represented by google, in which when logging in via the www under 2FA you just click consent in the app, without the code. Is google’s solution anything less secure?

New contributor

Karaal is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.