The idea is that you can keep something secure better if you have “something you know” (ie. Password) and “something you have (ie. A phone with a linked code). That way if some somehow gets access to 1 thing (likely your password) they wont be able to get into your account cuz they lack the other thing. Credit card with chips and pin codes are similar.

However it is “annoying” to do that so like any security measure it”s a balance of how much stuff they want to make you do to confirm it is really you accessing or not. They could have 3 or 4 or whatever step authentication if they really wanted.