Its not shuffling around security and neither is it adding any (at least in the crypto sense). Rather, it is a post-mortem way of knowing whether something is wrong. Assume that neither the auditing agency is cracked nor the original service. If your password gets phished and the attacker logs in as you, you will get a notification about it. Then, you can at least do something retroactively (even seconds later if you get a notification on your phone) to prevent further injury instead of finding out weeks later when all the damage is already done.