Multi-Factor Authentication (MFA) adds another layer of security to your login process by requiring users to enter two or more pieces of evidence (or factors) to prove they're who they say they are. In this example the factors are:

Username and password

authenticator app

Your question is asking why the code is required in every login and the answer is because that is what MFA is. Without it, you don't actually have MFA (just username and password).

There is no "Don't ask again" prompt. You might have gotten used to seeing that prompt for the Device Activation/Identity Verification feature Salesforce provides. It was a prompt that would appear if the user logged in from an unrecognized device (or user's IP is outside the trusted IP range). However, it's explicitly mentioned in the .

Some Salesforce products include a feature called Device Activation, or Identity Verification. This functionality is sometimes confused with MFA.

Device Activation requires users to provide an additional authentication factor if they log in from an unrecognized browser or device, or if the user's IP address is outside a trusted IP range. Supported verification methods for this feature include email and SMS text messages, as well as strong methods like Salesforce Authenticator, third-party TOTP authenticator apps, and security keys.

MFA, on the other hand, requires users to supply a strong verification method every time they log in. Email and SMS text messages aren't allowed for MFA logins because of their inherent susceptibility to attack by bad actors, so these options aren't allowed for MFA logins.

And your direct question is also within that same FAQ

How frequently must users provide a verification method when logging in directly to Salesforce products?

If you’re using Salesforce's MFA functionality, users must respond to an MFA challenge each time they log in to a Salesforce product. This applies to all logins, including those due to inactivity and expired sessions. The frequency of MFA challenges can’t be modified.

Can I automate or control how often the extra authentication step is required by Salesforce products to reduce impact to my users?

To ensure that MFA is providing the intended protection, users must supply a verification method each time they log in directly to a Salesforce product. To reduce friction for users, we recommend using Salesforce Authenticator. The app can automate the extra authentication step when a user works from a trusted place, like the office or home — which means users don’t have to touch their phones when they log in from these locations.

As noted in that last quote/answer, the Salesforce Authenticator mobile app (and only this app) is recommend as it can reduce this friction with its ability to "auto" verify for you based on location, device, and IP. It requires you to turn on a couple settings:

Within Setup --> Session Settings, check the Let Salesforce Authenticator automatically verify identities using geolocation and, if you have trusted IP ranges, you can also check the Let Salesforce Authenticator automatically verify identities based on trusted IP addresses only

Within the Salesforce Authenticator app - Settings --> Automation Settings turn on Einstein Automation

Once those are on, the functionality is noted to work as following from that doc:

In the app, when you select Always verify from here, the next time you log in from the same computer (browser) and the phone is in the same location, your phone will respond automatically for you when all are the same in a repeated pattern of 3 or more times.

Note: If there are any differences, dynamic IPs , location, browser or device changes the user will be prompted for push notification again.

If you use a different authenticator app, you will need to put the code every time as the above won't apply or isn't supported currently.