You have a point, but my complaint is that a service like Google shouldn't work based on a binary choice. You either use a persistent session cookie and you're logged in at all times (even if someone else launches your browser), or your session is 100% untrusted requiring both a password and your phone to confirm its you.
There should be a middle ground. If I'm logging back in 2 minutes later from the same IP, using the same browser on the same is, just ask for the password. Or even better let me choose if I want to use that "phone auth" option in the first place.
There should be a middle ground. If I'm logging back in 2 minutes later from the same IP, using the same browser on the same is, just ask for the password. Or even better let me choose if I want to use that "phone auth" option in the first place.