The increase in strong authentication for consumer applications has created some confusion. Almost all of these applications are using 'two-step authentication'. They add an additional authentication process in the form of an one-time passcode via an app like Google Authenticator or SMS or a push request to a smartphone app. Typically, you log in with a username and password (step 1) then verify yourself with the extra code (step 2).
In the first step (presumably) authorization occurs. The credentials are checked against a directory or database to confirm that the user has the right to access the application (or whatever). The second step is authentication - is that person who they say they are. Note that there are degress of security even in two-step authentication because SMS might use no encryption whereas an app might.
WiKID provides two-factor authentication in the one-time passcode. The use enters their PIN (something they know) into the token where it is encrypted and sent your on-premises WiKID server. The server generates the OTP and encrypts it with the user' public key so that only that user can decrypt it with their private key embedded in their token (something they have). Thus WiKID's OTP represents both factors.
This works very well for enterprises because enterprise remote access solutions are designed to support RADIUS which can perform authorization based on the username (even in Active Directory no AD password is required) and then authentication against a third party authentication server such as WiKID.