Why do we need a separate access key and secret access key?

Access key is like a username/userid performing an action using the API or command line tools. The Secret access key is like the password that generates a hash that authenticates the API call. MFA is just an additional layer of protection in case your keys are leaked. (or perhaps someone accidentally checked theirs into source code repo). MFA isn’t intended to replace an ordinary password. 

If it helps, think of MFA in the context of ordinary user authentication to a VPN. There’s the user (access key), and something known to that user (secret access key) and finally something possessed by the user (the MFA, in form of physical key or soft token).