Comment by fc417fc802

> I think it is too simple to reduce the definition of second factor to how it is stored.

I think the defining characteristic is how it is used. I can use a password like a second factor, and I can use a TOTP code like a password. The service calls it a password or a second factor because that was the intention of the designer. But I can thwart those intentions if I so choose.

Recall the macabre observation that for some third factor implementations the "something you are" can quickly be turned into "something your attacker has".