In this scenario, the user used two credential categories to gain entry to the building: something the user has (their phone) and something the user knows (their PIN).
The user first used their phone as a credential by starting the app and touching it to the lock console. This is an example of a credential in the "something the user has" category, as the user must physically possess the phone in order to use it as a credential.
After touching their phone to the lock console, the user then entered their PIN to gain entry to the building. This is an example of a credential in the "something the user knows" category, as the user must have knowledge of the PIN in order to use it as a credential.
Therefore, the user used the "something the user has" credential category first, followed by the "something the user knows" credential category.