A better question is, why would you use a code-generating 2FA, as they don’t authenticate the server and you may be looking at a phishing site proxying the real site in real-time? Only U2F/Webauthn keys guard against this and hardly anyone uses them, which shows 2FA is all too often performative security theater.