[smholloway]

If I'm understanding you correctly you're confused why only the hardware column is checked--is that right? That's, unfortunately, a common complaint. The columns _should_ correspond to only the second factor, with an assumption that username/password (a "knowledge" factor) is likely the first factor.

Some backstory on that decision: the site originally had columns for each 2fa company/product you could use; e.g., Google Authenticator, Authy, etc. Listing all the options was not scalable as the number of options grew, so twofactorauth.org went with a more abstract classification based on the second factor interaction. A few examples where that matters: * If you refuse to use an easily misplaced fob then you might avoid sites that only offer hardware 2fa. * Not everyone can receive SMS, but maybe they can download an app (software) or reuse their hardware token. * Some people prefer a voice call, so they might choose a bank that allows for 2fa-over-voice.

Hope this helps.