Yeah it's interesting because on the one hand you're adding one more step to login. You're adding friction. On the other hand, it's pretty obviously a good security practice.

I wonder what the product and stakeholders discussed. Were there metrics on how many users they might lose with this?