The oldest form of two factor authentication (2FA) is something you have (physical) and something you know (password/code). The credit card is the physical form, and the PIN is the secret. You need both to make it work.

With a password, you have single factor authentication. It uses a potentially public identifier (username/email address) and a secret that anyone can guess at (password). The longer and more complex the secret, the harder it is to guess/figure out by a human or more likely, a machine.

Website owners learned the hard way that 2FA is far more secure than a long and complex secret, hence why today most financial and other important online services use tokens/authenticators or other forms of the old have/know combination.

In the late 90s a company called RSA made their name with the introduction of the rolling code hardware token, although these days we tend to use software tokens like Google authenticator or other App based token/code generators