The issue here is that they are *replacing* a username/password with a third factor, not *adding* that third factor on top. The idea is 'who you are' (user ID) plus 'something you know' (password or ideally a pass phrase) plus 'something you have' (e.g. ubikey-ish device, some other device that's been 'fingerprinted', control of something that can receive texts, some biometrics).
I'm no expert, but I know enough about this area to say that whatever organization is doing this doesn't seem to have much of a clue about network security. If you are relying on them for anything that might cost you money, *run away*.