So you should always switch on two-factor authentication for your online accounts, if available. If two-factor authentication is enabled and you want to log in, you have to provide not only your password, but also a second security token. This can be a code that you receive by SMS, a number generated by an app on your smartphone, or a special code that you possess in printing. This would have made the attack on Mat impossible.
The problem is, though, that if you lose your password and do not have your smartphone, you lose access to your account! Owen Williams, for example, woke up one day to find that his Mac was locked. Apparently, hackers had tried to access his Apple account. They failed, but Apple locked the account. To unlock it, Owen had to provide the printed recovery key. It’s just that he never printed it! Thus, he was not able to access his Apple account any more. This meant that he lost access to all data stored on Apple devices — his pictures, documents, contacts. (Read the story on The Next Web.) Thus, if you lose your backup codes, you may lose access to your data!
To make matters worse, security measures are often intertwined. Assume, e.g., that your Gmail password can be recovered from your Apple account, and that you have two-factor authentication enabled on your Gmail account. This gives you some degree of security. However, if you send your Gmail recovery codes to your Apple email address and a hacker manages to gain access to your Apple account, then this security implodes. The more accounts you have, the more difficult it is to keep track of the security dependencies between them.
For more details, see our publication