Whenever I use a different/new browser on my computer in a different location, I get a code emailed to me. This doesn't happen on the app though (well, maybe it did the first time I used it on my device).
But yes, there should be an MFA challenge when redeeming miles. My bank does this if I transfer money out of my account.