Oh, this is too precious. A bank thinks two-factor authentication means a username and a password. As Bruce Schneier clarifies:

Um, hello? Having a username and a password — even if they’re both secret — does not count as two factors, two layers, or two of anything. You need to have two different authentication systems: a password and a biometric, a password and a token.

So how many is two? The bank’s interpretation is linguistically syntactically and semantically correct. However, their context is all wrong.

Risk management requires context, not category error.

-jsq