[Jach]

It's only n-factor if you have n orthogonal keys. Typically "something you know", "something you have", and "something you are". In the same sense that two passwords isn't "2-factor", I wouldn't say that a finger print + DNA sample is "2-factor". The problem with "something you are" as a third factor is that it typically requires you to have some hardware to get that information, in which case it's just 2-factor again. And if we get the technology to read out brain dumps, knowing a password is just a part of something you are and we're back to 1-factor... Which suggests it's not the number of factors that are important, but the total number of bits of information involved and how hard it is for theoretical attackers to gather all those bits. Is your scheme torture-proof? I doubt anyone would prefer torture over handing over their phone+password to their gmail account. But most attackers aren't going to come torture you. A phone or a yubikey or what have you is immune to OS keyloggers which defeat passwords of any complexity, that alone makes them useful against a big class of attackers. What class of attackers does e.g. a thumbprint further defeat? It sounds like it's more useful as a reset verification than anything else--you can forget your password and lose your phone but you don't lose your thumb--usually. (We can also get the 'mark of the beast' and have chips implanted in our hands.)