It makes ZERO sense to give the second factor to the device trying to access the account. No way this is expected behavior.