In security, you can authenticate someone by using 4 factors:

* What they know (A password, a secret question)
* What they have (A key, a badge, a phone)
* What they are (Their fingerprints, their DNA)
* Where they are (Their office’s network)

A card is something you own and security is provided by you owning it. It can still be stolen just like a password.

By the way, 2 factors authentication means you use 2 of those to authenticate, mostly a password and a physical device.