For example, if your web browser or password manager is syncing your passwords to your mobile phone, and that's the same phone the SMS codes or TOTP app runs on, is this completely circumventing the whole concept of "two factors"?
Asking for a friend, because I'm sure no HN readers would be dumb enough to do this...
(also, The Register covered this same story yesterday, here's my dupe submission: https://news.ycombinator.com/item?id=12157529)
> Multi-factor authentication (MFA) is a method of computer access control in which a user is only granted access after successfully presenting several separate pieces of evidence to an authentication mechanism - typically at least two of the following categories: knowledge (something they know); possession (something they have), and inherence (something they are).
So as long as your phone is sufficiently password-protected, that is is still 2fa.
Many physical security systems utilize multiple factors of authentication for access that are tied into a single reader. They often have a badge reader (something you have) and a fingerprint/eye scanner (something you are) or a PIN pad/digital combo dial (something you know) all built into the same device stuck on the wall. Sometimes they'll use separate systems for this, but the combo units are very common.