Two-factor authentication is mandating the user to authenticate in more than one mode in view of diminishing breaches due to stolen credentials or stolen devices.
For instance, if the user is only authenticated by “something he knows”, then a leaked or hacked password, or social-engineered personal details will give away access to his account.
Similarly, if a user is only authenticated by “something he has”, then a stolen device (phone or smart card) will give away his account access.
Hence, a two-factor authentication needs to satisfy an “AND” clause.
The user needs to be authenticated by providing answers (something he knows) AND by possessing his personal registered device (something he has).
So, if a user wants to access his bank details and has forgotten his password, he will be asked to enter answers to his personal security questions, as well as be sent a reset PIN to his mobile phone (or secondary email-id). Once he answers all his questions correctly AND enters the PIN correctly, he will be allowed to enter into the system. Two-factor authentication, thus, narrows down the chances of malicious users trying to hack into an account through just brute force, theft, or social engineering.