That separate app is 2FA, also called an OTP (one time password.

A system is only as secure as its weakest link which tends to be the human, a 2FA approach gives you a small time frame (normally 30s for app based codes) to enter that code. it’s a second layer of defence. It’s more secure than just a second password because it’s a pseudo random code that is generated on your device and a server using a known set of values on each side and generally using time to sync them. It would take longer than 30s to brute force that otp by which time it has changed and you have to start brute forcing again.

Some sites use text, some use email and some use apps but the core principle is the same. A short lived freshly generated code that has a single use.

Why 2 and not 3 or 5 or 100? Balance of security and usability, as you add more layers you create a more secure system BUT you also cause humans to be more reluctant to use it and so the human defaults to 1FA(a password).

If you have a smart phone you should be having a passcode or password to unlock it and to also see previews of messages and some phones now require that code to be entered when using saved passwords but again, the weakest link is the human, if they don’t protect their device with a password or code then it does defeat a lot of the 2FA benefits.