Not a crypto expert so tell me if I'm wrong but isn't the one downside of this the risk that a user will click "Allow" when he should not? I.e. a phishing site stating "if your Twitter mobile app prompts you to Allow, click Yes to receive your free pr0ng/game/claim your inheritance?"
The benefit of sending up the user a code to enter ala Google Authenticator is that we understand secret keys as digitally valuable. The social context of Allow, meanwhile, is that computer users are sometimes trained to click it constantly, e.g. by a desktop app installer or location based app.
That's only in regard to a phishing attack, but two factor authentication protects you in the case that you lose your password to an adversary who tries to log in themselves.
If said adversary can steal your password through other means (for example, you use the same password over multiple sites, and the adversary happens to run one of them), they still would have to coerce you into giving the Allow on your phone.
The benefit of sending up the user a code to enter ala Google Authenticator is that we understand secret keys as digitally valuable. The social context of Allow, meanwhile, is that computer users are sometimes trained to click it constantly, e.g. by a desktop app installer or location based app.