That's why you either use authenticators as a second factor only (i.e. you require a password entry first), or you require user verification (which is usually a PIN entry verified by the authenticator). Both solve this problem.