It’s something they “broke” recently. You used to require a physical card to pair a new phone key. I noticed when I replaced my phone that it was no longer needed. They should be able to fix it easily, but I’m sure they won’t.
You can enable pin to drive to reduce the risk, but if you have the creds and there is no 2FA on the account then you can use the app to bypass it.