Originally Posted by
Lux Flyer
No it doesn't. Security questions and passwords fall under the same factor "something you know". UA obfuscates the ability to guess the answers by process of elimination by giving you a limited rotating number of options from the entire answer pool, but it is not a MFA implementation. Two passwords don't make something 2FA, nor does password + questions. A MFA would require a distinct, separate, factor to be used such as "something you have" or "something you are".
While I wouldn't support the argument, I think the something-you-have reasoning would go along the lines of: you own a laptop / desktop / mobile device that has been validated through security questions and a token installed on it. That's the thing you have. It isn't super strong security, as has been extensively discussed, but it's better than not supporting that sort of thing.
A traditional 2FA implementation of using an SMS confirmation message on the same mobile device that's being used to access a web site doesn't strike me as substantially more secure than that, but I could well be mistaken.