Because the code is sent to a device Google know you have had physical possession of in the past. It's either sent by SMS, voice call, or to a pre-registered mobile app.
The general point of two factor authentication is that you need physical access to something (phone, token generator, etc), meaning that if somebody across the world knew your password they'd still be unable to cause any damage - or rather, it would take a lot more effort.
> Because the code is sent to a device Google know you have had physical possession of in the past. It's either sent by SMS, voice call, or to a pre-registered mobile app.
None of those connect to device you've had "physical possession in the past". Only the present. Phone calls, SMS and apps are all portable across hardware.
For TOTP, you can have the same account on more than one device (I do for convenience). All you need is the initial seed which you can either enter manually, or scan the barcode using more than one device.
If they know my master password, they also need to have a phone, that is correct. But if they know a single application specific password, they can read my mail just fine. How does the two-factor authentication protect me in this case?
The general point of two factor authentication is that you need physical access to something (phone, token generator, etc), meaning that if somebody across the world knew your password they'd still be unable to cause any damage - or rather, it would take a lot more effort.