It means that you need to be verified or validated by more ways (aka factors) than one. And not in a way that is based on your ability to complete an action (e.g., captcha. Those are akin to asking someone to solve a 2nd grade math problem to prove they’re a 2nd grader).

Let’s say you have a treehouse with a rope ladder and a door with a lock. You and I have:
– previously agreed upon a spoken password

– broken a medallion in two such that only those two pieces fit together, and one piece is carried by each

– buried a key to the door at a random spot that only we both know.

To enter the treehouse, first you need to tell the one in the treehouse the spoken password for the rope ladder to get thrown down. Then as you get to the top of the ladder where the locked door is, you need to either match your medallion piece with mine (through an access hole) and I open the door, or unlock the door with the key that you’ve dug up. The medallion or the key is the second factor here.

If there’s something unique about you that I can look at to confirm that it is you, then I wouldn’t need to repeatedly ask for the second factor. For e.g., you have a specific mole or I put a unique temporary tattoo on you. I can just look at that and be satisfied that it is truly you who is using our spoken password.

A lot of secure websites are like that treehouse – you can only enter restricted sections with two factors. But once you’ve entered and I’ve marked you (like with a temp tattoo), if you and leave come back, I can be less paranoid about verifying you.

In all this, there is preliminary work to be done – you and I need to establish these factors to be used in the future. Another friend of yours may throw the rope ladder to their treehouse down if you just say the spoken password. This is similar to websites that just need a password for you to get in. Yet another friend of yours may have the rope ladder down at all times. This is similar to completely open websites that don’t need any password to get in and browse (e.g. Wikipedia).

Why does 2FA not work for all online purchase transactions? Either I’ve decided that I just need a spoken password for you to access my treehouse, or I’ve seen you in the treehouse in the recent past and you have the temp tattoo that I put on you.