A common rubric of two-factor authentication is combining something you know (a password) with something you have, typically a physical device that generates or receives a unique token or that, by mere possession and unlocking, you prove ownership and can verify at least that you have the physical thing. Apple's "trusted device" model for iCloud two-step logins qualifies: you have to have an iOS device that you can unlock to view the code. Apple also lets you, however, choose to send a SMS code instead of using a trusted device. (A third kind of factor, something you are, relies on biometrics.)
It troubled me, therefore, to see the SMS message with my Twitter second-factor verification code appear on my Mac, even though the Mac is something I have, because prior to SMS forwarding, such text messages only appeared on a single device: my iPhone, which I carry with me or have nearby always. If I am logging in from a Mac and the code appears on the same Mac, albeit through a different path, have I subverted some or all of the benefits of the second factor?
Apple's implementation of SMS forwarding allows all logged-in iCloud accounts, no matter on what network they are, to receive the SMS message. The way in which an iPhone or other iOS device will signal receipt will vary depending on your alert settings and whether Messages in OS X is the frontmost app.
Where it gets complicated is only in cases in which someone manages to obtain my password (what I know) and can also have access to my computer (what I have) in an unlocked state while I'm not in proxmity. While all other Continuity features require either a Bluetooth connection or to be on the same local Wi-Fi network, SMS forwarding works whenever your phone and any other device have access to the Internet. That would seem to magnify the risk — that the computer and phone could be half a planet apart.
But in practice, it's hard to imagine a scenario in which that's an issue unless you give someone your password, have written it down, or left it in a readable place on your computer and routinely leave your computer in an unlocked state, where a roommate, partner, child, or parent — or burglar or thief — could gain access.
In any scenario in which that was true, it's easy to make sure you don't fall victim to it: don't share your password or make it available in any easy to find way; and in Security & Privacy, set Require Password to a low interval. (Remember that it's your sleep or screen saver delay, whichever is less, plus the interval after Require Password before the computer is locked.) I also always recommend using Find My Mac and FileVault for remote locking and data encryption.
Sign up for CIO Asia eNewsletters.