> And even if proper passwords are used, many sites/apps use this pattern for account recovery if the password is forgotten so effectively this is the only security as an attacker has “forgotten” the password and just uses this flow to login.

Was about to post just this. This is the flow they use for account recovery so it's the weakest link in the chain anyway.

Well, no. I'm more attention to what I'm doing if I have to recover my account. My typical login is something I have to do every day for every place, so it's easy to become more careless subconsciously.

Since this is about the human accidentally getting tricked to give a code to a malicious actor, I do think that workflow abuses humans being overtired by too many factors of auth by too many different services. I just want to login and get my thing done, but now I have to spend time waiting on email, etc.