Two step works like this.
If you want to change your password, you put in the request on the website and then they send you a code to your cell phone via text (or to another e-mail account) and you then have to enter that code on the website to be able to change the password.
It's an extra layer of protection--especially if you use the text option. As a hacker can't get that verification code unless they have your phone.
Yep, just googled it. Yeah, the banks tend to use this.
But I can understand why Microsoft and Sony haven't been using it all this time, because I guess from their point of view, they wouldn't have expected to, and it seems like a bit of an inconvenience to need this everytime you want to use your gaming console.
Like I said, after the hack stuff became more prevalent, I added the Xbox Live passcode (the one that's been around since the OG Xbox where you use a passcode created with button combos on the controller) on top of having to use my Windows Live password.
You'd think adding the Xbox Live passcode AND Windows Live ID password should be enough without having to resort to 2-step for a gaming console?