>I feel like some sort of manual component to two-factor authentication is the whole point
It's not really. The point is to verify that the device used for 2FA is still with you, whether you entered the code manually or it got entered automatically isn't the point of the system - and in practice has no real difference (unless your 2FA app requires password for access)
>What exactly are we achieving here in terms of security?
Verifying that the phone is still using allowed SIM card/phone number.
If you switch phones you can still get the confirmation message and access your account and if needed invalidate all other sessions.
If your phone is stolen you can do the same thing. The app password caching doesn't matter then.
It is no different than 2FA app that you have on your phone except that it's more tied to your SIM card than your phone.
It's not really. The point is to verify that the device used for 2FA is still with you, whether you entered the code manually or it got entered automatically isn't the point of the system - and in practice has no real difference (unless your 2FA app requires password for access)
>What exactly are we achieving here in terms of security?
Verifying that the phone is still using allowed SIM card/phone number.
If you switch phones you can still get the confirmation message and access your account and if needed invalidate all other sessions.
If your phone is stolen you can do the same thing. The app password caching doesn't matter then.
It is no different than 2FA app that you have on your phone except that it's more tied to your SIM card than your phone.