I’m surprised there arent any account security blurbs or anti-scam warnings here as this is an atypical way to log in:
This would be one of the last popups a users sees before sending their email + code to a potential attacker so it seems fitting that we should let people know they should treat this code discreetly.