It's "always" a good idea to use two-factor-authentication, however, most methods I've heard of are essentially covered under SMS or a mobile app.  This inherently (and, I suppose, this is the purpose) ties an account to a phone number or a device.  Here's where my confusion begins:  I've read about markets on deep web, etc that offer 2FA, and that immediately brings a question to my mind:

Isn't the whole purpose of TOR browsing and the deep web staying anonymous?  How does one use 2FA and not tie to a phone number or a specific device?  Am I missing something basic here?