How 2FA works?

No, Apple does not recommend nor require two Apple devices - Two-factor authentication for Apple ID - Apple Support

When a code is needed, it is sent by encrypted iCloud push notification to all of your trusted devices. A trusted device is one you have signed into iCloud on with your AppleID and password and is listed under your trusted devices at https://appleid.apple.com/

You must register at least one SMS enabled telephone number as a backup contact if iCloud push notifications are not working. And you are strongly encouraged to register at least another SMS capable number or a voice telephone number as an additional backup. This is especially true if you have only one Apple trusted device such as only an iPhone where your trusted device and trusted SMS capable number would be the same device.

From the above linked document:

”Trusted phone numbers

A trusted phone number is a number that can be used to receive verification codes by text message or automated phone call. You must verify at least one trusted phone number to enroll in two-factor authentication.

You should also consider verifying an additional phone number you can access, such as a home phone, or a number used by a family member or close friend. You can use this number if you temporarily can't access your primary number or your own devices.”

and

“What if I can't access a trusted device or didn't receive a verification code?

If you're signing in and don’t have a trusted device handy that can display verification codes, you can have a code sent to your trusted phone number via text message or an automated phone call instead. Click Didn't Get a Code on the sign in screen and choose to send a code to your trusted phone number. You can also get a code directly from Settings on a trusted device. Learn how to get a verification code.

If you use iOS 11.3 or later on your iPhone, you might not need to enter a verification code. In some cases, your trusted phone number can be automatically verified in the background on your iPhone. It’s one less thing to do, and your account is still protected with two-factor authentication.”

2FA is to secure your Apple ID, read here: Two-factor authentication for Apple ID – Apple Support

Note: use at least 2 trusted phone numbers, and on your device use screen lock passcode as well as switch Find My iPhone: ON

The 2FA code will only send if you login to your Apple ID with the correct password.

The thief will not be able to see the 2FA code since s/he doesn't have the correct Apple ID & password.

Also note the security is not all encompassing. Your scenario of a thief with a trusted device is not relevant if:

1. you've already removed that device from your trusted devices
2. your device is secured with a screen lock passcode and you do not show notification preview on the lock screen, so they cannot unlock it to read the push notification
3. the thief does not know your AppleID password (having just the code won’t grant them access to your account - both code and password are required).