It is simple and if you don't use it, you should turn it on!
But today, for some reason, the push notification didn't arrive. So I asked Google to try a different method. I chose SMS and a moment later I was sent a text method with a code (partially blanked out below)
|MFA code is visible when locked|
Now you can see that my phone is locked, but the whole code is visible. This got me very paranoid, imagine being away from your phone for 5 minutes and someone guessing your password and then using this to bypass two factor authentication? Or thinking about it, my bank uses one time passcodes (OTP) before transferring large amounts of cash....scary!
Thankfully, Android has a mechanism to make this more secure. If you go to Sound & Notifications > App Notifications > Messaging
From here you can turn on the setting to Hide Sensitive Content
|Enable "Hide Sensitive Content"|
|MFA code is hidden until unlock|