TwoFactorAuth.org provides a useful list of widely used sites who have enabled 2 factor authentication (2FA) for their users. In an article on Wired, Josh Davis, the founder of TwoFactorAuth.org describes the site as "a single place to go when determining alternative services based on the care and engineering they have in place for their customers."
Scrolling through the list could be very concerning for users with accounts at some of the very well known and trusted companies who are being pointed out here as still not 2FA enabled. The sites who have already enabled some form of 2FA appear in green - but take a closer look - the 2FA approach they have implemented is described here too, and the majority seem to have done this with SMS, a one time password to the user's mobile device.
When considering the importance of 2FA, it's extremely important that end users understand not only that the companies they know and trust are taking steps to increase security, but what those steps are and what exactly they are securing. A one time password via SMS essentially makes a hardware token out of the end user's device, but does not validate the identity of the individual making the request and does not serve to protect activity on that device, at a time when the increase in transactions users are doing on their mobile devices is skyrocketing. 2FA is truly meaningful when it elegantly addresses the need for security while integrating successfully with user experience, which fuels widespread adoption. Before we breathe our sighs of relief when we see our sites in "green", we need to make sure we understand what is really being protected, and under what circumstances.