If a user signs in to the EBS website with a known device (often also with an IP address known to the system), the system automatically has at least two-factor authentication. Such logons are "well-known to those skilled in the art of website-making" and are common in banking and other security websites. (Best "prior art" would be Jack Henry software, but there are numerous other examples.)
The two-part authentication is redundant in such circumstances and provides no security advantage. In any instance, erroneous sign-in attempts can be addressed by separate authentications, etc., without forcing this on users coming in with their usual device or an IP address already associated with the account.
(The "trusted device" tickbox on sign-in is further indication that the system is receiving the device information.)
These authentications are problems waiting to happen. If there is a delay in email, authentication is down. "Authenticators" are largely inaccessible to many people, especially given a 30-second timeout and difficulty in initially setting these up. Phone authentication does not work well with central switchboard systems.
All of this is totally unnecessary in the usual case and should only be forced if the user is coming in from an unknown device. Please remove it for all known devices.