Some exchanges combine email and 2fa. My experience when logging in to bittrex or indodax I have to confirm the email, after that enter the 2fa code. Make it longer but it looks safer. It takes 2 steps to confirm that it is the legal owner of the account. Unfortunately this is done when the IP address changes, if every time log in must be confirm email and 2fa, I think that's good.
It will be required if you log in your account on a new device or with a new IP address. Log in on same device and same IP address don't force you to confirm the login activity by email confirmation.
Binance has a similar requirement too.