That's still two factor authentication. The possible factors are "something you know", "something you have" and "something you are". Two "things you have" only count as a single factor between them.
Generally, "something you are" is some sort of biometric. Fingerprint, iris, hand geometry, palm veins, face and voice are all possible. Some laptops have fingerprint readers, face/voice recognition would probably work fine through a cheap webcam. I'm not sure how you'd prevent replay attacks if you were running it over the internet.
For single or small-n user systems, the best practice that's evolved around this is to not actually send the fingerprint image to the remote server. A trusted security module has a private key and the biometric sensor, and the remote server has the public key. The trusted security module locally validates the fingerprint, and then signs a message that can't be replayed to indicate the fingerprint was presented.