2FA or Two-Factor Authentication is a security measure that requires the user to successfully pass two different authentication factors to be granted access.
The most commonly used authentication factors online are:
This authentication factor will test that the user KNOWS a piece of information.
In other words, to successfully pass the validation, all you need is information.
Examples: passwords, personal information
This authentication factor will test that the user HAS something.
In other words, to successfully pass the validation you have to prove you are in possession of something.
This means that, in contrast to a "What you KNOW" factor, no amount of information in the world is enough to bypass this factor if you don't physically have access to the object to which this factor relies upon.
Examples: hardware security keys (Yubico YubiKey, Feitian), passkeys, a passport, a Time-based One-Time Password (TOTP) generator.
Note: TOTP can, arguably, be considered What you KNOW, because when using a TOTP app the user must input a secret into the app. If this secret is intercepted or if the user saves it, the "HAVING" factor is compromised.
The most common use case of SMS as an authentication step is to combine it with a login and password (What you KNOW), followed by a code received via SMS.
This leads many people to believe that SMS falls under something you "HAVE", after all you need to physically have the SIM card, or the phone with an eSIM, to connect to the GSM network and receive the SMS.
However this is not true. An attacker, with sufficient knowledge about the victim, might very well be able to impersonate such a victim in a call to their phone carrier and convince them to enable the victim's number on a new SIM card controlled by the attacker.
Another well-known possibility is when the attacker either works for the carrier or corrupts some of their employees to activate arbitrary numbers on request, without the need to impersonate their victims.
All of this is done without ever being in contact with the victim or their belongings and, therefore, it can't possibly be considered a "What you HAVE" factor since at no point the victim lost sight of their belongings.