The second factor doesn’t have to be linked to a device. It can be linked to an email, which you can access from any device.

The idea is it’s now twice has hard for an attacker to get your password, because they need the verification code from either your device or email, but they don’t know your email or have access to your device, so they would need to gain access to that in order to break in.

It just needs to be a second factor (2 factor identification) it doesn’t need to be a physical device.