At the cheapest end, something like a Yubico Security Key 2 does two factors with one being the physical key you have and the other being a PIN (such as "180479" or indeed "FkR0Mpg"). An adversary who steals the physical device needs to guess the PIN correctly before it locks out after a few wrong guesses.
Something like a decent Android phone uses a fingerprint as its second factor, Yubico make a physical device that does this if you've got cash burning a hole in your pocket.
In WebAuthn terms the remote site ("relying party") just asks for User Verification and checks that the UV bit is set on the signed message from the authenticator (all WebAuthn signatures will have UP (User Present) set, but UV is a separate bit)
Two-factor does not protect against phishing attempts.
The fake website can ask for two-factor input and man-in-the-middle proxy this to the attacked website. These techniques have been used by the phishers for the last decade or so. Asking more two-factor codes e.g. Once at login and once at withdrawal helps, but the impact is not significant and also brings down the overall UX.
Something you have AND something you know.
I don't want someone to lift my HSM and joyride with it all weekend before I notice it's gone.