The main advantage is that it’s cryptographically tied to the app or site. That’s what prevents phishing, your device literally won’t sign a challenge from a different domain, even if it looks identical. The "can’t copy/paste" part is just a side effect of using secure hardware or a password manager to handle it. It's not about making it hard to share; it's about making it impossible to misuse.