Smartphones Emerge as a Factor
People tend to keep their smartphones close. According to a 2015 study conducted by Bank of America, as many as 71% of people sleep with their smartphones. And, if a person's smartphone gets lost or stolen, they are very likely to call their carrier and have their service discontinued on the old phone and turned on for a new phone.
2-Step and 2FA Authentication with Mobile Phones
The simplest authentication techniques which leverage mobile phones involve sending a text message with a one-time code, or placing an outbound call to the phone with an automated message repeating the code. Typically, the code then needs to be entered into a computer screen when trying to login to a web site, for example, or perhaps confirm the transfer of money in an online banking system. Strictly speaking, this is considered 2-Step Authentication, not Two-Factor Authentication. If interested, click here to see differences between the two: 2-Step vs. 2FA Authentication.
Why? Because the service would still work even if you did not have possession of that particular phone. For example, you may have your phone number forwarded to another phone or routed through an SMS messaging service not tied to a mobile device. And because authentication could happen without a particular phone, the phone is not a true 2FA factor in this scenario. However, some companies may decide that texts and phone calls to a mobile device are a “good enough” approximation of a true 2FA factor and are satisfied with 2-Step Authentication. This is a question of risk management.
The see an article about NIST's decision, click here for details. To achieve true 2FA with a mobile phone, it is necessary to install special software on the device. This software uses a certificate that positively identifies the device. The software can then generate passcodes similar to a security token, additionally proving the time of authentication. Google Authenticator uses an approach similar this.