No lengthy article this time folks, just a flow diagram to demonstrate the differences between two-factor authentication and two-step verification.

(full size)

Why isn't an OTP via SMS a 2nd factor?

At first glance, the mobile phone appears to be "something we have" (one of 3 factors necessary to be multi-factor), but that's not quite true.

The device itself isn't key to successfully authenticating, but rather the OTP delivered to it.

If it were truly a 2nd factor, it would be impossible to authenticate without the device. If an attacker ports your mobile number to another provider or manages to intercept your SMS by whatever method, they would "know" the OTP and be able to authenticate, despite not "having" the device.

Google seem to suggest an SMS is "something you have", is that wrong?

It's highly unlikely that an attacker would be able to port your number, or intercept your SMS. On that basis, it's sufficient to perhaps consider the phone to be a second factor.

Technically however, as someone else may "know" it, it's multiple steps of a single factor.

Is an OTP via email safe?

Email is inherently insecure at the best of times, with few sites supporting STARTTLS (and those that do often get it wrong), so it's arguably better than nothing, but not particularly safe.

What's does 2 channel SMS mean?

The OTP data travels over an entirely-independent network, not from the device upon which you're trying to authenticate. This makes eavesdropping much harder for an attacker.