> I should never be in a situation where there is an unexpected login I need to verify.

Isn't that kind of the point? If someone else is trying to login somewhere with your credentials, your two factor will ping up?

Why would I want that? If it is not me, I am not going to allow the login. Making it a notification makes it more likely I could fat finger an approval.

I guess you can make the argument that you are then made aware of login attempts, but that feels more like something the host service should control.