Before the user's TwoFactorEnabled property is set, the user configures
a second factor. The first factor is the user's password which is something they know. The second factor must be
"something they have" or "something they are". Something they have is a physical object in the possession of the
user, such as a USB stick with a secret token, a bank card, a key, etc. Something they are is a physical characteristic
of the user (biometrics), such as a fingerprint, eye iris, voice, typing speed, pattern in key press intervals, etc.
Something they have is easier to implement and most people have a mobile phone.