Two-step verification on the Mac has been a thing for a while now. It's a solid level of protection for your Apple ID that requires you to enter a code when accessing your Apple ID account information, signing into iCloud on a new device, using a service like FaceTime or making a purchase at the App Store or iTunes using a new device.
The process is fairly simple; simply go to your Apple ID account page and choose "Get Started" under "Two Step Verification". You'll be asked to register one or more devices as trusted devices that can receive SMS messages and you'll be given a recovery key that you should keep in a safe place in case you ever lose access to those trusted devices.
When you want to do/access one of the protected services then an SMS gets sent to your trusted device. If I want to sign into iCloud on a new iPad then I'll plug in my iCloud password and the four-digit code that gets sent to my trusted device (i.e., my iPhone). It's a simple and intelligent way to strengthen security; unless you have my iCloud password, my iPhone and/or the recovery key then you're out of luck.
So, two-step verification is awesome. What could be better than that? Enter Two-Factor Authentication.
On the face of it the whole Two-Factor/Two-Step thing looks like a semantic difference. In both cases you're trying to access a service on a device and using an authorized device to enable that. What, in so many words, is the big deal?
Two-Factor is an upgrade that came with iOS 9 and El Capitan, and it utilizes a lot of the security upgrades that came with those two OSes. Instead of pushing a four-digit verification code to one SMS-specific device, it pushes a six-digit code to all of your authorized devices; further, it pushes the geographical location of the request to those devices (although that doesn't seem to play nice if you're using a VPN service). It's a streamlined approach that ditches recovery keys and puts paid to app-specific passwords for anything that isn't an incompatible service.
Turning it on can be done in either iOS 9 (although the process seems to be broken in iOS 10 beta) by navigating to the iCloud System Preference pane, hitting "Account Details", then choosing the option from "Security".
These kinds of things are not panaceas, and reasonable caution is the piece of the puzzle that you have to engage in; however, Two-Step and Two-Factor authentication are an excellent protection for your AppleID and devices (provided you don't write your AppleID and user passwords down on a sticky note on your iMac and leave them unattended...)