BE-Pass is their 2FA application. It's not bad as it shows you some details but in the case of the password it does not show you the new password, so if you get two requests in the BE-Pass app, they look equal and you don't know which new password you are confirming - the attacker's or yours.

Google Authenticator would require me to enter the code into the website where I requested the password update while the hacker would need me to give him the code. I think it's more transparent that giving that code over phone is a blind signature than when they trick me into clicking a mere button in the 2fa app.