With iOS 9 and OS X El Capitan, Apple is introducing system-wide two-factor authentication.
The idea behind two-factor authentication is exactly what the name implies: Your password alone is no longer enough to access your account, you need something else as well. In the case of iOS 9 and OS X El Capitan, that something else is a 6-digit verification code transmitted directly to a device you trust and have in your physical possession. So what happens if something goes wrong and you get locked out? What happens if someone tries to hack their way in?
What is two-factor authentication and how does it work?
There are several "factors" that can be used for authentication. A password is "something you know". A fingerprint is "something you are". And a verification code is "something you have". When a system requires only one thing, like a password, it's "one factor" (or "single factor"). When a system requires a second thing, like a password and verification code, it's "two factor" (or "multi factor"). The first is more convenient, the second more secure.
Right now, to access your Apple account (iTunes and/or iCloud) from a new device or web browser, or to do certain things like change your password, all you need to enter in your email address and current password. With two factor enabled, you'll need to enter in your email address and current password, and a 6-digit verification code.
The difference between to the 6-digit verification code and something like your iPhone or iPad passcode—which also changes to 6-digits in iOS 9—is that it can't be remembered. A new sequence of numbers has to be generated and sent to you each and every time you need to enter them.
The verification code can be sent to any device that is already logged into your Apple account (and is therefore "trusted"), and also via SMS or automated voice call to the phone number you register when you set it up.
Unlike your password, however, the 6-digit verification code isn't something you can remember. It's something that will be different each and every time you need to use it, and so it's something that needs to be generated and sent to you anew each and every time you need to use it.
What happens if you can't get your verification code?
Most of the time you'll have an iPhone, iPad, Mac, or non-Apple phone you've signed into or registered with your account and you'll be able to get your verification code if and when you need it.
Also, since you only need it to add new devices (you buy a new iPad, for example), you log in from a new web browser (while on vacation and at an internet cafe, for example), if you wipe a device and need to set it back up from scratch, or if you want to change your password, you shouldn't need a verification number very often.
But if you do need it, and for some reason you can't access a trusted device or registered phone, Apple has a recovery procedure you can follow:
If you can't sign in, reset your password, or receive verification codes, you can regain access to your account by requesting account recovery. Simply provide a verified phone number where you can receive a text message or phone call regarding your account. Apple will review your case and send an automated message to the number you provided when your Apple ID is ready for recovery. This message will direct you to iforgot.apple.com to complete the required steps and regain access to your account.
Account recovery will take a few days—or longer—depending on what account information you are able to provide. The process is designed to get you back into your account as quickly as possible while denying access to anyone who might be pretending to be you.
You can check the status of your account recovery request at any time by visiting iforgot.apple.com and entering your Apple ID.
Can someone use the recovery process to socially-engineer their way into my account?
Whenever a account recovery process exists, some people—rightly—worry that it could be abused. For example, that a hacker could call up and con the person in charge of the process into giving them access by rattling off some names or numbers they found using search or social networks.
In this case, Apple specifically points out:
Apple Support can answer questions you may have about the account recovery process but cannot verify your identity or expedite the process in any way.
So, by eliminating humans from the communications chain, it looks like Apple has made it extremely difficult for a typical social engineering attack to work.
Where can I get more information on two-factor?
Apple has put up, and continues to update, a support document with all the basic information you need to know. We'll also be covering it in detail when iOS 9 and OS X El Capitan launch this fall. In the meantime, let me know if you have any questions!