Diesse Well, if it is a new device, you also need more access to the SMS or email, and payments etc. only 24 hours are first executed delayed.
The login code is only sufficient for a device that is already logged in. But in the best case scenario, this has also been secured with a strong, alphanumeric passcode.
If the previous measures had been effective against phishing, they probably would not have adapted them. There were some who had passed on the login code and passphrase. Of course that's PEBCAK, but I think the overall security of the system has increased with the change.