You might be able to set it so that you only have to do 2-factor once for a particular browser-computer combination, but if you or some malicious person tries to log in from a different computer or browser, you/him will need to have your phone.

Also, it looks like Google uses the SMS/Text messaging system.