Here’s my take on this.
Instagram has a fairly robust system for handling logins from new devices to protect user accounts. When a login attempt comes from an unrecognized device or location, it typically triggers a security check.
The most common verification is a pop-up notification sent to a device already logged into the account, asking the owner to confirm “Yes, this was me” or “No, it wasn’t.” If that fails or isn’t an option, Instagram will often send a one-time login code or link to the email address or phone number associated with the account. If Two-Factor Authentication (2FA) is enabled, the system will require an additional code from an authenticator app or a pre-saved backup code. It’s a multi-layered approach.