Thanks for asking these questions.
o Do we have to buy some kind of hardware keys now?
You don't have to: the Google Authenticator App is also supported. However, I have a U2F key (available on Amazon for less than 10$) and it saves me from opening the authenticator app. That works pretty well in my experience.
o Will the 2FA affect git push & pull as well? Or just logging in to the actual website?
It will affect git push and pull over HTTPS, but not over SSH. SSH-push/pull is what I think everybody uses, so the answer would then be "no".