Not all “factors” are equal. For example, having two different passwords is basically the same as just having one, longer password. So having a second password field really doesn’t make it 2FA.

Generally, the factors should be of different kinds, the three kinds being:

* Something you know (e.g. a password)
* Something you have (e.g. a smart phone)
* Something you are (e.g. finger prints/retina)

2FA commonly employs the first two. The smart phone is something you have and the password you enter into it is something you know.

Yes, this means if you enable your device to save and autofill the password part (and your phone isn’t additionally protected with a pin or a passcode to get into it) then you have effectively eliminated one factor from consideration; All someone needs is your phone and they get in.

That doesn’t make 2FA inherently less secure. Just about any security system can be rendered insecure by poor implementation or decisions on part of the users.

As to why it isn’t 3FA or 5FA. As I point out above, there are only 3 “kinds” of factors and having two factors from the same category really doesn’t add anything. So the highest you can go and have significant additional security is 3FA but that means biometrics.

Biometrics are generally costlier or, when they aren’t costlier, less reliable, or otherwise have privacy concerns. Theoretically you could implement this yourself by locking your phone with face recognition or finger print scanner in order to access the 2FA app on it.