It's a second factor because the tech peeps think it is--one, access site, two, receive code. I didn't include the stupidity of using the authenticator app on the device that sends the code to the device that get stolen. It's all nonsense that adds only unnecessary hassle.