The idea of "two-step" or "multi-step" authentication (e.g. the presentation of a secondary authentication step after the first is successfully performed) does not meet the Council's definition of "multi-factor" authentication, unless both of the following conditions are met:

1. The whole authentication process requires at least two of the three authentication methods described in PCI DSS Requirement 8.2

a. Something you know, such as a password or passphrase

b. Something you have, such as a token device or smartcard

c. Something you are, such as a biometric

1. All of the authentication mechanisms used must be independent of one another, meaning access to a secondary authentication mechanism cannot be dependent on the first (for example, relying on username/password authentication for both user authentication as well as governing access to an email account where a secondary factor is sent).