If other apps are going to rely on 2-step auth messages with Nostr, let's please do another event kind just for short auth codes. In that way, clients can make a popup for the code with appropriate security and privacy information instead of requiring people to go to messages (which is a weird thing to ask).

Auth codes should not be in messages

Though I have a feeling that auth codes are unnecessary if login with Nostr is implemented correctly.