UserAgent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36

Steps to reproduce the problem:
1. Set security passcode for gmail account
2. Login on new browser enter the email and password
3. Check the passcode sent on mobile without unlocking the phone.

What is the expected behavior?
The passcode should not be visible until user unlock the phone and open the message to read it.
E.g. Bank one time password does not showed up until user does not open the password

Also if other person get's user's password and then tries to login. Message will be sent to configured mobile number but do not have instruction what to do if actual user have not tried to login anywhere.

What went wrong?
If someone Purposefully steel the user mobile phone, can be easily hack the email password without unlocking the mobile phone.

Also if someone else tries to login with other users password and user get's an verification code, do not have instruction what to do in that case.

Did this work before? No 

Chrome version: 48.0.2564.116  Channel: n/a
OS Version: 6.3
Flash Version: Shockwave Flash 20.0 r0

Please notify me what do you think aboout