Does MFA exists to force people to have/carry all the time smart phones or there's a way to use it without a phone? I mean in practice for repositories like npm or rubygems?
You need somewhere to physically store a secret, plus the ability to do some computation to turn that secret into a time-based one-time code. A lot of people do use their phone, but there’s nothing to stop you using a dedicated hardware token, or conversely just your computer (e.g. 1Password [0]) if you’re comfortable with keeping all your secrets in the same place.
Naturally there are security/convenience tradeoffs however you do it. The important thing is that, unlike with passwords, you never send the secret over the wire.
