caffynz: A new one for me: I've recently downloaded an app for password-less sign-in, where at the sign-in page, instead of using my email/password, I can use the app to scan the QR code that is displayed.
After scanning the QR code, the app then asks me if it is me that is signing in (with yes/no answer options)..... Um - didn't I just pick up my phone, unlocked the app through facial recognition, toggled the QR scanner, and scanned the QR code? Who else could it have been?
Without knowing the exact workflow involved here it sounds like an anti-phisning/spoofing measure.