and clicking the Login button again invalidates the previous 2FA code, and requires switching to the email client again, setting up for failure over and over again.
Use of a "standard" modal component ended up being incredibly inconsiderate and user-hostile.