Web-based 2FA without a second device is as secure as app-based 2FA with a second device if your threat model is to defend primarily against automated large-scale attacks and not against targeted attacks (e.g. hackers for hire, or state-sponsored attacks).

It is not primarily the second device that improves your security, it is the second authentication factor in the form of a time-based one-time password (usually a 6-digit number that changes every 30 seconds) as this delays the overall attack process and produces more work for the attacker.

A second device adds an additional layer of security on top of this, as a device is something not shareable with somebody else, but it is not the primary reason for the security of 2FA.

Additionally, the reliance on a second device also means that you have to manage and secure an additional device and ensure it is not lost or stolen.