The first type is less secured and more risky because there are SIM swapping attacks (for SMS, voice code) and if you rely on email, your account will be compromised if hackers have access to your email.
Some exchanges combine email and 2fa. My experience when logging in to bittrex or indodax I have to confirm the email, after that enter the 2fa code. Make it longer but it looks safer. It takes 2 steps to confirm that it is the legal owner of the account. Unfortunately this is done when the IP address changes, if every time log in must be confirm email and 2fa, I think that's good.