They don't think the phone represents you. But the combination of proving you know the password and that you have physical access to a trusted device increases the confidence that it's you by a lot.
Depending on the form of second factor you use, it can stop phishing attacks (and don't say you'll never fall for one, anyone can make a mistake). The "send a notification" option for 2FA gives you information about where the login request is coming from, which is a chance to check that someone isn't sitting in the middle of login process. And something like WebAuthn makes phishing impossible outside of a browser exploit since the domains won't match.
Depending on the form of second factor you use, it can stop phishing attacks (and don't say you'll never fall for one, anyone can make a mistake). The "send a notification" option for 2FA gives you information about where the login request is coming from, which is a chance to check that someone isn't sitting in the middle of login process. And something like WebAuthn makes phishing impossible outside of a browser exploit since the domains won't match.