To me, and I guess the classical definition, multi-factor authentication is made up of:
- Something the user knows (passwords, PINs, etc)
- Something the user has (ATM card, CAC, etc)
- Something the user is (biometrics, eyes, fingerprint, voiceprint, etc.)
As I mentioned above, right now, my bank uses a username and password to log in. That's something you know. Adding a question that the user "knows" the answer to is not adding a new authentication method. That answer is still something you know.
I'm trying to get in touch with someone at the bank to see if there are other options supported or if there are any plans to add a second factor.