In the security sector, e.g. PCI, three factor authentication requires three *different* factors. Common factor definitions are “something you know” (e.g. password, but can be easily shared), “something you have” (e.g. mobile phone/RFID tag), and “something you are” (e.g. a biometric). So, in this example, a one-time-password sent to your phone would still be a “something you have”, same as the RFID tag, so still classed as two-factor authentication. For a deeper discussion on this, see https://pciguru.wordpress.com/2010/05/01/one-two-and-three-factor-authentication/

Ignoring my pedantry, looks a really interesting project – both for the overall concept, and for giving starting points for people wanting to deal with the individual elements of RFID reading, sending one-time-passwords etc (although just saw they’re storing plaintext PINs/passwords in a database, which is never a good thing – Troy Hunt has a good article on password (or PIN) storage https://www.troyhunt.com/everything-you-ever-wanted-to-know/).

This isn’t three factor authentication, just three inputs of two security factors. When we speak of multiple factors in security, we are referring to the four authentication factors: something you have (device or keyfob), something you know (password or pin), something you are (biometrics), and somewhere you are (used much less, but used for things like identifying if the device is connected to its home network).

This implementation features something you know, the passcode, and two instances of something you have, the keyfob and phone. While it might be arguably marginally more secure to require two things that have to be stolen in order to access the system, the actual security complexity this sort of setup adds does not amount to much. Additionally, the one time passcode delivery systems on the market are typically not very secure. SMS messages in particular are notoriously easy to intercept and should never be used over time-based authenticators like Google authenticator.

Studies have shown that users find actual three-factor authentication less burdensome than multiple implementations of two factors. For some reason, our brains just accept it more. You would be better off implementing a cheap fingerprint reader or IR camera into this setup both for greater security and better user acceptance.

“it’s a perfect setup for inside doors to offices or basement lairs.”

…or for guarding your precious cookie / oreo stash ;-)
https://www.raspberrypi.org/blog/laser-cookies/

Speaking as someone with a background in InfoSec, that’s pretty cool. Nice to see one-time-use codes coming within the realm of everyday folks.

OTOH, speaking as someone with a background in InfoSec, I have to recommend to everyone: before you go to this effort, realize that physical security is a large domain of information security–neat, high-tech security is impressive, until a common criminal gets around it like he would any other lock by kicking in your door.

Lengthy explanation you can probably skip:
The video very specifically says internal doors, but let’s use a hypothetical one everyone can imagine: Your home’s front door. Understand that your front door probably swings into your home, like nearly every other front door out there. That’s because that keeps your hingest inside, so they can’t be tampered with. But you’ll notice most businesses have doors that swing outward. This is generally because egress laws require it. (In the event of a fire the door has to swing the way people would be running away, cuz bad things have happened otherwise.) This means they have hinges on the outside. That’s bad for them, right? Not anymore; we have tamper-resistant hinges now. It actually provides them with a very specific benefit that most homeowners don’t get: trying to kick in a door that swings outward requires the attacker to break through the door jamb–the extended part of the door frame that stops a door when it closes shut. By contrast, on the door to your home, it’s being kicked in the direction it swings, so it doesn’t need to go through the jamb. So rather than a chunk of wood attached to the frame (and wall) the length of the door, the only thing the attacker needs to break is the little bit of frame with the mortise for the strike plate and latch bolt. The strike plate are generally held in place by tiny screws, and the wood stopping the whole thing from being kicked inward is perhaps an inch wide. It’s literally a simple matter of splitting off a bit of wood.
So while high tech is super cool, if it’s important enough to protect it with three factors of authentication, it’s probably also important enough to ensure you’ve more than an inch of wood, or two sheets of 5/8ths inch drywall separating your valuables from an attacker. Make sure the door either swings towards you, or there’s a big servo moving a metal bar across the back of the door. Or both. With a steel door. And reinforced walls. :)

Looking at the video, a fire warden would condemn the building. Personnel safety in the event of fire always has to trump security. The solution above doesn’t satisfy the need of having a panic bar / emergency exit button to exit the room, overriding the security system. $0.02

Wrong implementation, for physical access is should be, one thing with you have, one with you are, one with you know. For example rifd card, password and fingerprint.
You have two with you have and one with you know.

Yet, all it takes is just a nice and shiny crowbar. ;)