[Falkon1313]

Exactly. The thing I have is whatever device I'm using right now - could be my PC, my work laptop, my phone, or any other system I can plug a USB stick into. And the thing I know is - well I don't really know it at all - it's whatever whichever device I'm using spits out when I tell it to tell this other thing what I supposedly 'know'.

And then the remote system, trying to be ultra-secure, says "ok we'll send you an email/message and you need to confirm that". But that third factor message comes in on the exact same device I'm using for both the first factor and the second factor.

It's all just security theater.

Conceptually, it kinda makes sense. Like when using a credit card, require the name on the card, expiration date, billing address, and CVC instead of just the number.

But in practice, eh. We have nothing similar to the financial system to catch fraudulent ID usage. So it's all just extra annoyance. For practicality, almost everyone will end up with everything just being a single factor.