[eastern]

Possession of the device and typing a PIN into the _same_ device does not qualify as 2FA.

It's not 2FA unless information flows between the user and the authenticator through two independent routes. For example, in Twitter's (and others') 2FA, information must flow between Twitter's servers and the user through the Twitter UI as well as through a GSM text message. That's 2FA.

[jakobe]

I am pretty sure that possesion of device and typing PIN into the same device qualifies as 2FA. A spy that watches you type your PIN can't log in without your device. At the same time, a thief that steals your device, but doesn't know your PIN, also can't log in. You need both; hence TWO FACTOR AUTHENTICATION.

[eastern]

The casual thief case is trivial. Surely, clef's goal includes protection against a somewhat more sophisticated adversary who is targeting you, specifically.

Someone gets some malware on to the phone and gets the run of it. Records the pin, later steals the phone, or is able to replicate the entire device.

This could be guarded against if the pin changed every time and was delivered through an independent channel, which is what 2FA if all about. A complete, undetected compromise of a single device or a single information channel should not be able to defeat 2FA. That doesn't appear to be the case here.

[jakobe]

But 2FA doesn't protect you from even a single compromised device. If the computer you use to access the service is compromised, an attacker can simply intercept your next login attempt. The only difference is that in the case of CLEF the vulnerable part is your mobile, not your laptop.