The common understanding of "two-factor authentication" (something you know and something you have) is terrible, because it relies on classification that is really hard to do. Do you *have* a 2FA app or do you *know the key* to a 2FA app?

A much better model is "a factor is a separate environment that would need to be compromised independently", because it can be reasoned about and directly reflects the actual thing that needs to happen to bypass it.

This means that a 2FA app on a phone and a password manager on a PC are two factors; two devices that need to be separately compromised. A 2FA utility *in* the password manager is *not* two factors, because compromising the computer is enough to bypass both. Biometric+password *is* two factors, because compromising the computer does not get you biometric data, unless it's actively stored on there.

And yes, this is something that non-security-specialized folks can understand too, if you use slightly different wording ("hack two different devices instead of one" for example).