It's called Two-Step Verification simply because it verifies you twice before granting access to your account using two things: your password and something that is with you like your phone. You should enable this in all your online accounts that support it. Why? To protect yourself and your data from being accessed by unauthorized peeps even if they get a hold of your password.
Social engineering: phishing for your password
How do other people gain access to your account? They steal and then use your password. How? By social engineering. What's that? It's a broad list of mind tricks to get you to surrender your information. One rampant method is phishing.
There are plenty of ways to phish but a common way is for a cracker (not hackers anymore, please) to send you a fake Facebook email notification that will lead you to a Facebook website clone that they created. You try logging in and poof, you have submitted your username and password to their fake Facebook website. There are many other common ways for them to get your password.
This isn't only for Facebook. There's phishing for all websites. You should know that even bank websites are not exempted.
Websites that have adapted two-step verification or two-factor authentication are protecting your account by determining it's really you logging in (and not an angry ex trying to check your message history) with two steps:
Step One: The website verifies if you know the email and password to log into your account with the default login screen.
Step Two: After successfully verifying step 1, it sends a message with a code via another channel to contact you and that only you can access this channel. You will use this code to complete your login.
There are many channels to get the code to you but the common ones are via email, SMS, or via an authentication app (more about this app later). Options may vary depending on the website. Since it is expected that only you have access to your SMS messages, email, or authentication app, step two will check if it's really you trying to login.
How does this protect you?
If your password is stolen via phishing (or it's super simple and can be guessed, which is also a bad thing), a secret admirer may use this info to log into your account. They will successfully pass through Step One above. However, when the website sends a code to your phone or email, the psychopath fan will not get this code and thus cannot go past Step Two. It's pretty simple.
Mercenaries will probably have a gun to your head and ask you to do Step One and Two yourself assuming you have information worth blowing your head off for.
Enable it on these websites now!
Now that you understand what two-step verification is, here's a nice list of websites that support two-factor authentication:
|Google ID (all Google services)||Yes||Yes||No|
|Microsoft Live (Skype, OneDrive)||Yes||Yes||No|
I'm sure you're using more than a handful of these services. You will have to do your own homework how to find the security settings in the websites you use. You can find a better looking table with more websites on Two Factor Auth List.
Another way for you to acquire Step Two codes is using an authentication app. One example is Google's Authenticator app (available on the Android Google Play Store and iOS App Store). This leverages the fact that it will be installed on a phone that will always be with you. After setting it up with the website that supports it, use the app to get the Step Two codes to proceed with your login. You would know a website supports an authentication app because it will show you a QR code on its security settings.
Google has a nice video summarizing everything I've discussed and how to setup the Google Authenticator app.
Set up your two-step authentication with websites you use now! Contact support personnel of a website you use that doesn't have two step verification to improve their security settings to protect their users.