Some of my secure online web sites have me request a one time password which can be sent as a text message to my phone, sent to an email account or heard via telephone robot. Then to access the site in question you enter your name password and the one time password. This appears to be a type of two factor authentication also. It would seem superior to manage to a smart card in that smart cards break, get out of synch etc. Everyone pretty much already owns a smart phone (or is afforded one from their company).
From a PCI perspective would username, password plus this type of One Time Password count as two factor?