A developer I used to work with and I were discussing the factors of authentication and he put forth the idea that a username and password were two factors. My response was, “No.” He paused for a second, agreed, and then added that we would need to add a second password to make it two factors. Again my response was, “No.”

Adding additional fields such as this would just make the single factor (something I know) a bit stronger but not add an additional factor. If a second password is added there is no change to the method of authentication, just an increased strength in one method.

I explained it to him in this way (if you know of a better way please let me know, comment below). The username and password is all retrieved and submitted through the same method and it can be represented as a username, delimiter, and password. Using multiple passwords just means that one meta-password is longer and contains an arbitrary character to divide it into two chunks. Once he saw it in that light he understood that breaking the meta-password into separate text box does not mean that is a separate factor.

In order to add an additional factor of authentication you have to change the way you authenticate (not more of the same). The username and password(s) just check that you know some information. The different dimensions of authentication factors are: something I know (i.e. password), something I have (i.e. smart card), something I am (i.e. retinal scan). To add additional factors to an authentication mechanism you have to use a different dimension. In this case you already have the something I know factor and would have to add the something I have or something I am factors to hit the second or third dimension.

Ultimately all the factors have to be represented in a way a computer can store and validate them, meaning they can all become something I have, but this is an entirely separate philosophical discussion that may be addressed at a later time.