This sort of defeats the idea of 2FA, doesn't it? If it's implemented as a software service on the same device, it's (well theoretically at least) hackable at the same time as the device itself. The 2 factors from 2FA are both accessible to an attacker at the same time, so you effectively have just a single factor auth.

It does, but there's actually a way to do this (ie. u2f without having to buy another device) in a safe way, by using the TPM available on most computers: https://github.com/psanford/tpm-fido