Ideally they(t212) would use risk factor authentication. Where as in high risk it asks for step up auth. Meaning not just fingerprint/pass but also Sms/otp or push notific.
But lower risk would only require fingerprint/pass.
Risk is based on AI learning each users pattern aka device used , location , time etc…
Somehow , I am not impressed at having google token or MS token as 2fa when I am accessing app via mobile. It would make sense if you use mobile purely for auth, but other device to actually access the application. To have any purpose of MFA.