Over the past days compromising photos of celebrities have been posted on the Internet. While it is still unclear if any of these photos were stolen from iCloud accounts and even less certain if the users had in fact activated the Apple ID two-step verification solution, it is still worth mentioning the inherent weakness in the two-step verification solution for Apple ID.
It does not protect your content.
It seems like a basic thing for a security feature like two-step verification to do. But there is a major difference between the solution Apple has set up and how almost every other major web service goes about offering two-step verification.
The Apple ID two-step verification only protects you from fraudulent purchases through the AppStore, iTunes etc. as well as anyone trying to change your account settings. All services that are iCloud connected and where you generate your own content are unprotected by the two-step verification and require only normal login. This includes mail, contacts, calendar, documents as well as, yes, photos!
Google (and most others) have taken the approach that ANY kind of login prompts a request for two-step verification, thereby securing everything inside their login wall.
One consequence of this is that even if you do use two-step verification for your Apple ID, you should consider having a much stronger password than you usually would use and under no circumstances use this password anywhere else.