Google Authenticator uses static security key to generate time-based one-time-passwords.
This makes security key to be equivalent (in term of usage) to usual password.
As two passwords are equivalent to a single longer one, why security key counts as another authorization factor?
Best Answer
First, I don't really know if Google Authenticator works with static security keys, but if they do, such a key is probably a lot longer than your usual password would be. EDIT: I can't find an example of suck a security key, I have to turn 2-factor auth off and on to get a new one, but @Basilevs suggests that they are only 10 characters long.
Second, it's only stored on your mobile phone, so no internet connection that can be intercepted. Only someone with access (count in malware ofc) to your phone can access the one-time-passwords.
Third, when your phone is lost or stolen, you can easily block that phone and create a new security key to use for your new phone.
Last but not least, I'm glad that you ask, since I recently found out myself that Google 2-factor authentication isn't so two-factor as it claims it is. In fact, when you activate 2-factor authentication, you get a pseudo 2-factor login, but what you really get is a still-1-factor login moved from your password to your phone's security code.
How so? When you click the
Forgot Password?link, all that Google requires you to give for choosing a new password is your phone's one-time-password! So in fact, your password doesn't matter anymore at all, anyone with your phone has access to your account!