When a “magic link” is used from another system such as MainWP, or a web host’s control panel (or the likes of GridPane), 2FA/MFA is ignored.
One school of thought is that someone should have good security on those systems ,and also already used 2FA/MFA. Some systems are better than others for that.
However, there can also be period of times that those systems have been left logged in, or if other vulnerabilities are created or exploited in the futre, that weaken the security there.
By allowing an option for 2FA/MFA to always be used, even if a passwordless/SSO logon occurs, it allows strong (and potentially no need to know) passwords to be used but also retains a OTP password requiring the “something that you have” factor of authentication and still providing a high level of security alongside very good ease of use.
(To see an example of how this works, WP 2FA from WP White Security still requires 2FA from a GridPane magic link, whereas Shield doesn’t. I can provide a video if it helps to visualise what I’m suggesting.)