At the very least though, the MFA prompt can alert the user to the discrepancy, even after they click accept (e.g. hey we notice you're holding your phone in Australia but we have a login request from Russia - are you absolutely sure that's you?). And it can also be based on learning usage patterns - once the user has confirmed that they are indeed logging in from Russia enough times over a few days, the system comes to accept it. Multiple levels of imperfection, hoping to reduce the risk