2FA being on a separate device is simply the most secure way of doing it. An attacker who gets access to some passwords for my accounts can’t do a whole lot without also physically stealing my phone.
It’s simply an extra hurdle for malicious actors to go through.
Though I guess in most cases, having any 2FA at all will probably already turn off a majority of attackers.