... anyone can pretend to be you, and attempt to get into your account, saying they've forgotten the password, and then attempting to answer the security questions that you chose when setting up the Apple ID. If they get through them, because they know the name of your first pet, your favorite sports team, and whatever else, they can access your account. Unless you add an additional layer of security.
... This means that your password alone is not enough; you need to have information that is sent to you or generated on a trusted device. My bank uses a device that gives me one-time codes when I log into my account; my username and password aren't enough. In Apple's implementation, any time you log into your account from a new device, they require an additional code, which is sent to one of your trusted devices: your iPhone, iPad or iPod touch.via How to Activate Apple’s Two-Step Verification for iCloud | The Mac Security Blog
I had hoped to write an article like this. I think Kirk a better job than I would have.