Is it mandatory in MFA that the factors should be (1) something you have + (2) something you know + (3) something you are, or it is okay to use any single of two factors multiple times (e.g. password + fingerprint + retina scan)?
It seems there are one more factor to consider as "Something you do" which includes your handwriting pattern, typing speed etc [Ref: Computer Security: Art & Science by Mat Bishop].