Bi-modal 2FA is already here: you receive a code by text and you enter the code in your web browser (or a proprietary app like a banking app).

Moving from web browser to email for entering the 2FA code means that you (the user) have to make sure to send email to the correct address, not one provided by the attacker.