>because it's actually more than two-factor authentication
Kind of, maybe, but you really have to stretch the definition. Two factor authentication is typically a combination two of:
- something you know
- something you have (physical object)
- something that's an inherent characteristic (biometric data)
specifically so that it's extremely unlikely that an unauthorized user can get access to more than one of them.
Meanwhile yours (from what I can guess from your under-specified description) involves:
-Picture (keyfile?) that's stored online where anyone can get it (and how do you access it? a password?)
And yes, that's considerably more challenging to hack than a simple password alone, but it still sounds like it only involves "something you know", and thus offers none of the more concrete protections offered by more traditional two-factor authentication. All it takes is someone filming your keyboard and screen while you log in and your security is completely bypassed. Not appreciably more difficult to hack than a completely random 30-character password that can be conveniently stored in an encrypted password manager on a USB flash drive accessible via passphrase, which provides quasi-twofactor authentication on the front end. You can watch me enter my passphrase, but without also having the file on my USB drive it won't help you log into any of my accounts
Granted, that's not as convenient on phones/tablets/etc, but given how common spyware of various types is on such devices I'd be *extremely* hesitant to access anything actually important from those unless you completely refused to install any software that has the potential to monitor your activities - a call that's becoming increasingly difficult to make even for the competent.