This behavior was observed when a user migrated from an older iPhone to a new iPhone but may also apply to Android devices.

Current situation: The Smartphone enrollments are included as part of the backup of app data when an iCloud backup is performed. When this backup is restored on a new device, the same enrollments from a previous device are still functional. An attacker that has access to a backup could 'clone' a Smartphone enrollment.

Desired situation: Smartphone enrollments are not included as part of the app's backed up data. This would require a user to have to re-enroll all Smartphone authenticators after restoring the backup on the same or a new device.