I don't have much to add about the Apple version of this, but I'm somewhat conversant in Google's approach. To Google, it's all about "signals" for "multi-factor" authentication. Does your phone have a GPS location that lines up with your house and/or is it associated with your home WiFi? That's a plus. Is it associated with your car's Bluetooth? That's a plus. Has the user recently used the phone's fingerprint reader? That's a plus. All these different plusses are stirred together and different security-relevant tasks have different bars for when they'll bother you for more password / PIN / fingerprint / whatever authentication data.

You can see this sort of thinking when you're logged into and using your Gmail, but when you want to change your settings, it asks for your password again. Likewise, my Android phone sometimes demands my password-pattern even though I have it set up to let me log in with my fingerprint.

I also have one of those Yubiko 2FA USB tokens for Google. When setting up a new computer, they want you to plug it in, but after that they set a cookie in your browser and they're happy, and don't ask for you password again very often, and I don't think I've ever been asked for the 2FA token more than once on the same computer. Presumably, my "signals" are staying relatively consistent. I'd be curious how hard I have to work before Gmail in Chrome demands my 2FA token again.