Is it mandatory in MFA that the factors should be (1) something you have + (2) something you know + (3) something you are, or it is okay to use any single of two factors multiple times (e.g. password + fingerprint + retina scan)?
It seems there are one more factor to consider as "Something you do" which includes your handwriting pattern, typing speed etc [Ref: Computer Security: Art & Science by Mat Bishop].
Note that MFA includes both 2FA and 3FA.
The widely accepted definition of multi-factor authentication (see this NIST definition) is:
Authentication using two or more different factors to achieve authentication. Factors include: (i) something you know (e.g., password/PIN); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric).
Emphasis on factors, not pieces of information.
Therefore, your proposed scheme would qualify as 2FA, which is a form of MFA ("two or more different factors"), but not 3FA.
True three-factor authentication involves a password/PIN + a token/smart card + a biometric characteristic.
For something to count as "multi factor" it needs to have factors from at least two of those categories. So password + fingerprint + retina is multifactor since it's something you know and something you are. In fact, it would still count even if you dropped the retina scan. But e.g. password + PIN would not count as it's only one factor, i.e. something you know.
In MFA (2, 3, 4FA) you start with a declaration: Who am I (user name) -- this is not a factor it is a claim.
Factors for proving the claim (authentication): something you know, something you have, something you are, something you do, someplace you are. Typical answers to the factors (in order): password; certificate, time based code (OTP), cell phone code prompt; fingerprint, retina scan, voice print; signature, wave your hands, do a dance; IP address.
You can't reuse factors to have multi-factor auth.
