Recently, I found that 2-factor authentication is increasingly in use by popular online sites. Sites like Twitter, Yahoo and Dropbox have already implemented simple 2-layer authentication via SMS. I applaud the move as it adds further layers to prevent hacking. Just a few years ago, only banks are doing such thing for their own protection. While email authentication has been around for decades, it was found not to be as secured, especially when the hacker is highly likely to be hacking into the very email account that delivers the authentication codes.
In my memory, the first online site that implements a comprehensive mandatory 2-layer authentication was Microsoft Live. Before anyone else, Microsoft Live already mandates this feature and with additional options. You can define as many emails or phone to receive the authentication. Instead of automatically sending to your single authentication device, it first asks you to select the device, and enter the full device information. So if you select your mobile number, you need to enter your number. You can also print recovery code in case you cannot receive authentication codes, e.g. when traveling.
Norton is one of the few anti-virus companies to implement 2-layer authentication. It also supports software token where you install an app on your PC which generates a random code whenever you needed to authenticate.
To balance the need for constant validation, some sites offer consumers to mark devices as trusted or safe, so that when you use devices, you will not be asked for 2-layer verification. Another check is location-based. When the site detects that a login was made from an unfamiliar location (made possible by checking the IP), it triggers the 2nd authentication. Most of us would not know of this location-based check until we travel to another country, which I found while vacationing in Australia recently.
While most online sites do not mandate 2-layer authentication, it is highly recommended that you activate it for your own protection. It is noted that financial institutions mandate the 2-factor authentication, mainly to protect the institutions from fraud which they are partially liable. Recently, my retiree-dad tried to purchase tickets online using his credit card but was prompted for a OTP (one-time password) which he did not have. So I told him to call the bank to sign up so that he can engage in online transactions.
Nevertheless, such security measures are only good to ward off off-location hackers. If hackers get hold of your 2nd-layer authentication devices or your hardcopy backup codes, they could still hack into your accounts. But for hackers to do that to you, you are either some big shot or you have some valuable data that is worth the trouble.