Two factor authentication is when you combine multiple methods of authentication to prove who you are at login. With a ATM, you have the ATM card and you know your personal identification number (PIN). So you’ve proven who you are with something you have and something you know.
When you log into your company’s VPN you might use a RSA SecurID card as well as a PIN. But what happens if the PIN is written down and stored with the card? Anyone who finds the card has the PIN as well. You have essentially reduced your two factor authentication to one factor authentication blowing the security that your company paid for by implementing SecurID.
Two factor authentication can be reduced to one factor authentication based on user behavior.