What is two-factor (or two-step) authentication? It combines two factors (from maximum three available factor types according to the security theory): something you know (such as username/password or pin code) with something you have (magnetic or smart card, token key, or mobile phone). Third possible factor is something you are which is biometrics.
There are three major methods of two-factor implementation used by online service providers: hardware tokens, SMS, and smart phone application (software) tokens. Hardware tokens are usually offered for money and therefore less common than SMS or software tokens. Also, major hardware token solution RSA SecurID has been recently compromised which even increased the motivation for using software solutions.
Many online service providers implement two-factor combined from username/password (first factor) and mobile phone (second factor) which provides relatively high security level comparing to traditional single factor authentication (username/password only).
Some giants such as Facebook and Bank of America offer only SMS solutions for mobile phones. One-time token (6 digit number) is generated by the server and sent to user’s mobile phone as SMS text. Other companies such as PayPal provides SMS service as well as more convenient smart phone app (also used by eBay). In latter case VeriSign VIP software installed on iPhone, Android or other smart phone device generates new one-time token code (the same 6 digits) every minute. The advantage of software solutions is that they do not require any communication between mobile device and server which completely eliminates data transfer or text message fees.
Google offers even more options - application tokens, SMS and also voice messages.
Regardless the particular implementation, any form of two-factor authentication provides higher level of security and makes your account significantly less desirable target for hackers comparing to regular accounts protected by just user/password.