The main difference between two-step verification (2SV) and two-factor authentication (2FA) is 2FA requires a distinct "factor." What is a "factor"? It's generally regarded as one of these things:
- Something you know: e.g., user name and password
- Something you have: e.g., a smartphone, a code generator fob, etc.
- Something you are: e.g., fingerprints, voice, something you can do
2SV typically only covers what you know: you know a password and can access something where the second step will be performed, but it may not necessarily require a separate device. For example, if you get a code emailed to you, this is not 2FA, because you can access the code on any device that can log into the email account. Even something like getting a code sent via SMS is considered 2SV, because you can receive SMS messages on a computer now, especially with Apple products.
To be 2FA, you must have another device to access the system. For example, I have a few accounts that require a constantly changing security code that an app on my phone handles. I cannot access this app on my computer, so if I log in via my computer, I
must have another device (i.e., a phone with this app) to log in. Though some services take this a step further and ties the device to your account. With Apple and Google, you tie a phone to your account and every time you log in to one of their services, your phone will pop up with a message asking if you approve the login. So if you lose the device, you lose that factor (which is why Google and I'm sure Apple provide a backup method to log in).