2 factor authentication security problem

Hi guys,
i refer to this thread posted a couple of years ago https://www.virtualmin.com/node/44832

I inadvertently used the wrong 2 factor authentication code to log into my root user account on webmin/virtualmin.

I have a number of google authenticator codes on my mobile device

  1. the webmin root user
  2. admin login for a virtualmin>virtual server on my system (its also the virtul server setup in virtualmin as the one apache defaults to for displaying a website in the event one cannot be found in the apache list)

My understanding is, when logging in to virtualmin using google two factor authentication, only one code from the correct account (ie in this case root) should be able to log in?

How is it that i was also able to log into my webmin root user with the authentication code from the wrong (a different) user?