There is a lot of meat in this article but I want to point out two things. First, Christina reminds us that even if you have a strong password, there are many ways to grab or nullify that
Cubrilovic lists them in order of popularity and effectiveness:
1. Password reset (secret questions / answers)
2. Phishing email
3. Password recovery (email account hacked.
4. Social engineering / RAT install / authentication keys
But having recently activated Apple's two-factor authentication, I was still feeling smug. Then Christina springs the trap.
As we've mentioned before, Apple's two-factor implementation does not protect your data, it only protects your payment information.
Yes, if you have two-factor authentication enabled, the password reset process for an account can be greatly impeded (you need to provide a special one-off key before you can reset a password), but assuming someone can get your password anyway using any number of phishing or remote-access methods, two-factor verification is absolutely not required for accessing an iCloud backup.
Indeed. I immediately looked at Apple's FAQ on the topic, Frequently asked questions about two-step verification for Apple ID, and it states:
It requires you to verify your identity using one of your devices before you can take any of these actions:
* Sign in to My Apple ID to manage your account
* Make an iTunes, App Store, or iBooks Store purchase from a new device
* Get Apple ID related support from Apple
So Apple's 2FA is only focused on purchases and account management. It is not used to protect your data.
Given Apple's push for users to use iCloud for many more things in iOS 8 and OS X Yosemite, I believe Apple needs to put some serious resources behind protecting your data too.
(UPDATE: Apple appears to be taking some good steps in the right direction on this topic: "Tim Cook Says Apple to Add Security Alerts for iCloud Users")