That "very definition" is used incorrectly by so many people, including you. When you're slapping it into a call to an encryption/decryption function, it's ALL effectively "something you know". A thumbprint hash is just data, so is a keyfile, so is the output of an RSA clock at any time. Security "experts" tried to model this off of physical security principles, but they don't translate over. That doesn't stop them all form parroting "something you know, something you have, and something you are hurr derp", though.
Something you HAVE and something you ARE need to be verified by some authority that controls access. It's like buying pseudoephedrine at the drug store. They ask for something you HAVE (your driver's license), and they verify it to a reasonable extent. Without an active arbiter, you can only use something you KNOW. Imagine buying pseudoephedrine on Amazon. That something you HAVE becomes something you KNOW because all you can do is type in your driver's license number, state, and expiration date. At the drugstore, they expect a physical card with a photo that looks like you and a magstripe that swipes with valid data. They can also physically see if you look like a tweaker who's got the shakes because they need another hit.
You can try to use automated arbiters, but they're vulnerable. A thumbprint scanner can be tricked into scanning a fake thumb or someone else's thumb, or it can be bypassed completely if you know the output it gives for your target thumb. A car with a breathalyser can be tricked by having someone else, or a raccoon, blow into it (that story was fake by the way - http://www.inquisitr.com/24605... ). Or, again, if you know what the breathalyser outputs on a good blow you can bypass it entirely.
You can try to use remote arbiters. A typical example is a security camera and a remote person monitoring and unlocking doors and shit. You can attack the camera, dress up as the target, put a photo of the empty hallway over the camera so that's all it sees, whatever. For an apartment gate/door with an intercom and a "buzz me in" system, you can pretend to be anyone to anyone who can buzz you in, or you can click the button a bunch and make the sound distorted and someone will just fucking buzz you in to make it stop, or you can always attack the gate.
Something you KNOW is the only thing you can use without an arbiter, because the mere knowledge of that thing is what constitutes valid access.
Something you ARE and something you HAVE require an arbiter for verification, otherwise the mere knowledge of those things can be used to masquerade/forge the thing that you ARE/HAVE. Automated and remote arbiters are better than nothing, but their automation/remote nature make them less able to verify the ARE/HAVE to the same degree an active and present arbiter can.
The most common "two factor" authentication systems in place are RSA clocks and one-time passwords sent via SMS.
No one verifies that you have and own that dongle with seed XYZ or that the specified phone number belongs to you. They verify that you know the code the dongle output or that you know the code they send you. Knowing either isn't very hard, and you can attack on either end.
RSA clocks: Attack the database that has the seeds and generate your own valid codes willy nilly. Steal the dongle. The easiest, however, is to pwn the target's device / MITM the target's network connection. When they're doing shit intercept the code and use it in your own attack (they all have pretty wide validity windows to account for clock skew, time for users to type it in, latency and processing time, etc.) This is why many places now require you two input two separate codes to disable the dongle - a victim will typically not provide 2 codes within a short time span. Of course this is pointless as the attacker can spoof a message to the victim saying the first code was rejected, try again. The user will do so immediately and the attacker now has 2 valid codes and can remove the dongle from the account.
SMS: You can attack the server that generates the codes, the service that sends out the SMS, steal the cell phone, or whatever. The easiest, however, is just downloading the SMS messages yourself - all you need to know is the target's phone number (SMS is incredibly insecure).
The RSA clocks are the better of the two since a successful attack requires either an active attacker or an undetected breach of the database containing the seeds. (Or breaking the algorithm.) But they are absolutely not "something you have" when you present the code. They are "something you know".