"Something you have" actually implies "something an attacker wouldn't have".
Hardware tokenizers, SMSes via mobile phones or secrets available only on your phone are all things that confirm a physical link with you that the attacker cannot reproduce even if it has a keylogger and root access on your computer.
Which cannot be said unfortunately about private keys. You can regard them as long passwords saved in a file on your computer (which you need to bring with you on a USB stick and copy on any remote computer from where you'd like to login). Sure, they do not travel over the network, but they have zero protection in case your laptop is rooted and keylogged.
The whole US financial industry has their heads in the sand over this one. In 2005 the FFIEC (a US regulator) declared that single-factor authentication alone wasn't sufficient for high-risk transactions.
What did the industry do? They rushed half-baked solutions out the door. One of the worst offenders is Harland Financial Solutions. They created a "Multi"-Factor authentication product for online banking, which is multi-factor in name only. When you login using a computer without a cookie set, the "MFA" system asks a security question (like, "What was your elementary school?"), then sets a cookie.
Harland considers the computer+cookie combination "something you have", and will claim with a straight face that this system is secure and multi-factor.
Hardware tokenizers, SMSes via mobile phones or secrets available only on your phone are all things that confirm a physical link with you that the attacker cannot reproduce even if it has a keylogger and root access on your computer.
Which cannot be said unfortunately about private keys. You can regard them as long passwords saved in a file on your computer (which you need to bring with you on a USB stick and copy on any remote computer from where you'd like to login). Sure, they do not travel over the network, but they have zero protection in case your laptop is rooted and keylogged.