And until you save images explicitly (there may be an automatics download at a later date), removing them from the photo stream  will remove them from the Mac, too.

He didn’t *deserve* anything like this, of course, but his lack of backup is staggering.  A time capsule – even a second drive – would have saved him all that grief.  Mind boggling, especially for a tech journalist who has an even bigger risk of losing his laptop. 

I can think of a couple: 

1. A thief physically steals your phone.
2. If you keep an emergency list of codes in hardcopy form, a thief physically steals those.
2a. If you keep an emergency list of codes as a text file somewhere, then it’s only as secure as the access to that file.

And then a couple of ways of defeating it that I don’t know how plausible they are:

3. A thief cracks the algorithm used to generate authentication codes.
4. A thief gets your text messages forwarded to him. 

Google turns up a lot of people who want to set up auto-forwarding of text messages, and there’s theoretically a command code to do it on GSM phones — but I’m not seeing any reports of the command code actually working for anyone, and a lot of reports of cell phone carrier phone support telling customers it’s not possible.

May I suggest a micro- usb with  a Keepass DB, and a copy of that on at least one HD at home? And, if you want a “two-factor ID”, just save a random key file in your favorite cloud service.

Forget the phone-based 2-factor stuff: it’s not secure.
Never was. It’s just a way to get your phone number. If it’s a worthy ID, than it’s one for the money-gathering department of your email provider.

In response to password strategies: http://xkcd.com/936/

“They packed a mnemonic into an advert jingle, which, once embedded in my subconscious unpacked itself and began distracting me with OCD and childhood memories as it slowly deactivated my Cortical Guard. Soon I was mamboing to the tune of the Russians.”

I don’t see any way around the fact that when they contacted Amazon, falsely claiming to be him, and obtained something of value from Amazon in exchange, then no matter how bad Amazon’s system is, that doesn’t change the fact that they committed fraud. Federal felony fraud. I don’t see any way around the fact that when they misrepresented themselves to Apple as him, and obtained from Apple the tools with which they vandalized his property, that no matter how incompetent Apple’s security measures were, it doesn’t change the fact that they committed severe vandalism — considering likely pain-and-suffering losses, probably even felony level vandalism. Across state lines.

Frankly, they shouldn’t have to have been told that what they did was wrong; shifting any significant part of the blame onto their victims (him, Amazon, and Apple) muddies the waters and plays into their BS rationalizations. And if the next person has any doubt that what these people did to him, to Amazon, and to Apple was wrong, that should be settled by making an example of them in the federal courts.

Seriously, Antinous. I doubt you live in a place that is armored like a bank vault, and I doubt that the physical lock on your house is impregnable; Boing Boing has done enough coverage of lockpicking culture that I feel pretty confident that even you agree with that. Does that mean that it’s partly your fault or the maker of the lock on your front door’s fault if someone picks that lock or kicks in your door and smashes up your electronics with a hammer? You probably don’t walk down the street wearing a combat helmet, and even a bicycle helmet won’t protect your head from a crowbar. Does that mean that it’s partly your fault or the maker of (say) your bicycle helmet’s fault if someone walks up behind you and bashes your skull in with a crowbar?

Locks, whether hardware or software, keep honest people honest; the best locks are only there to make it time consuming enough for people to bypass them that they increase their risk of getting caught or leaving evidence, not to make access impossible, because making access impossible is, itself, impossible. As soon as they ran into the first password login screen that asks “are you mhonan” and they said “yes,” they knew they were doing the equivalent of kicking down a locked door. For this, they need to be tracked down and made an example of. Period.

If they’re asking you the security question in the first place, then, yes, the user’s password management has *already* failed. Bonus points for not merely blaming the user for the fact that it has done so.

If she’s an employee and providing her own equipment it crosses the line to independent contractor and can become a liability to her and the company regarding how she is seen and who pays what taxes.