While Apple doesn't specify it here, in the current system only some Apple sites and systems require two-step. Apple developers; users of its iTunes Connect system for book, music, and app uploads; and other sites allow access with just an account name and password, even for two-step-enabled accounts. This is likely to change as part of this integration, as these are all holes that can be exploited by wily crackers.
The current two-step method will continue to work indefinitely, so as not to lower security for older users nor break systems. When using iOS 8 or earlier or OS X 10.10 Yosemite or earlier, a verification field won't appear. Rather, after attempting a login with the Apple ID and password, and having the verification code appear on trusted devices, a user will then need to log in again appending the six-digit code at the end of the password in the password field. Only El Capitan and iOS 9 devices will display six-digit codes.
The use of a phone number as part of the two-factor system provides better flexibility for users, but it can also provide an opening for individual targeting. The SMS system isn't designed for security and integrity, and iOS 8 and Yosemite's SMS Relay option allows text messages to be received on computers logged into the same iCloud account as an iPhone anywhere in the world. (See "Private I," October 23, 2014.)
The end of Recovery Key
The current two-step system relies on two factors, but also included a third element for regaining access to an account: Recovery Key. The 14-character Recovery Key is generated during the two-step signup process and is meant as a backup. If you forget your password or lose access to all trusted devices and your phone number (but not both), the Recovery Key was the only way to restore your Apple ID account.
Without it, the data and purchases associated with that ID were lost for good. This could also be triggered if Apple decided your account was under attack and reset your password. Some reports indicated that Apple's customer service could reset accounts without the Recovery Key, but it seemed to be available only in limited cases and with support's discretion.
In the new two-factor authentication system, Apple confirmed that Recovery Key is gone. Instead, Apple provides more general guidance, noting that you might need to work through what it's calling in lower case "account recovery" if you "can't sign in, reset your password, or receive verification codes."
The process described in the FAQ should help overcome social engineering and identity theft, widely described as ways in to user accounts at many sites over the last several years. Apple will get in touch via a "verified phone number," which one assumes is one associated with your Apple ID account--it's worth noting that one can associate multiple numbers there.
Sign up for CIO Asia eNewsletters.