Apparently passwords + secret questions (i.e. more passwords) + a "device ID" (which can be trivially faked, unlike a token) = two-factor authentication. Plus, AFAICS, the "device ID" was even allowed to change, so it didn't really come into play after the secret questions?