How is "something you have" typically defined for "two-factor" authentication?
A wide range of products claim to offer "two-factor authentication" (c.v. Two-factor authentication - Wikipedia). Most are deployed as "something you have" to be used in addition to a normal password ("something you know"). Some of these "second factors" are as simple as providing a piece of paper with either one-time-passwords or information needed to respond to a simple challenge-response protocol. Others range all the way up to “hard” cryptographic tokens which cannot readily be copied. The latter is e.g. required for the NIST 800-63 (Electronic Authentication Guideline) "Level Of Assurance 4" (aka LOA 4).
For example, would a one-time-password via paper meet NIST's "LOA 3" requirements? How about the various recommendations for banking (e.g. FFIEC), or related requirements from other entities?
