Nobody wants to have their username and password hacked on any service, and this includes your Apple ID. If a bad guy can log in with your ID, he might be able to buy music, apps, movies, books, and other items and make you pay for them. Apple recently added two-step verification as a free, optional security enhancement for your Apple ID username and password. I've been using it for the last few weeks, and it works well and I can recommend it.
Apple calls it "two-step verification" but I usually see this type of protection called "two-factor authentication." Whatever you call it, the idea is that even if someone knows the password for your username, he still cannot log in unless he also has something that only you should have. For example, some companies protect their secure websites by requiring that users have not only a username and a password but also be able to type in the number displayed on an RSA SecurID Hardware Authenticator, a number that changes every minute. A bad guy might somehow get or guess your username and password, but he presumably won't also have the SecurID that is on your keychain.
Apple implements this by making your iPhone your hardware authenticator, which makes sense because presumably only you have your iPhone. A bad guy in another country might somehow guess or hack your username and password, but he won't have your iPhone ... and if he does, you have bigger fish to fry.
To turn on the service, you need to first sign in to your Apple ID on the Apple website. Select Password and Security, and under "Two-Step Verification" click get-started. If your current password isn't sufficiently complicated (not long enough, lacks upper and lower case characters, etc.) Apple will ask you to change your password and imposes a three-day waiting period before letting you make additional changes ... long enough for Apple to send you an email and to ensure that it is really you making the changes. Then you can sign in again, select Password and Security, and get started with two-step verification.
There are two ways to use your iPhone for verification. First, you can use the Find My iPhone app. I wasn't able to use this option because, like many long-time Apple users, I have two Apple IDs — one that I use to buy things on the iTunes Store and the App Store (an ID that I have used since the iTunes Store opened 10 years ago and long before I had an iPhone), and one that I use for services like Find My iPhone, iCloud, etc. If you only have one Apple ID, then this option can work for you. Second, you can have Apple send you an SMS text message for verification, and this is the option I chose.
Now that I have configured two-step verification, if a bad guy were to try to log in to the Apple website with my username and password, he would encounter this screen telling him that he needs to verify his identity:
Similarly, if a bad guy tries to download something from the iTunes Store, App Store or iBookstore on his iPhone or iPad, he'll encounter a screen like this one:
Of course, if it is you trying to access your own account, you simply tell Apple to send you a code. For the text message approach, in about five seconds you'll get a message with the code. Then simply enter that code to confirm your access to the Apple website or to continue your purchase from the iTunes Store or App Store.
I was able to test Apple's two-step verification in two different ways. First, I tested using it to access the portion of the Apple website that manages my Apple ID. Second, I recently had a problem with my iPhone so I brought it to an Apple Store and they swapped it out for a new one. When I tried to start buying apps on the iPhone using my Apple ID username and password, Apple wouldn't let me do so until I verified my identity via the text message. Since this iPhone had my own AT&T SIM card, of course I got that text message, but if I were not me, I wouldn't have received that message.
Note that once you authenticate hardware (iPhone, iPad, etc.) as yours, you won't have to use two-step verification again. But the first time that you use a new piece of hardware, Apple will verify that you are who you say you are.
What happens if you lose your iPhone and still need to access the Apple website to change something on your Apple ID? When you first configure the two-step verification service, Apple gives you a unique recovery key that you are told to print out. Store that recovery key someplace safe, such as a safe deposit box. If you ever lose your iPhone, you can still access your account so long as you have your name/password and that recovery key. Similarly, if you ever forget your password, you can still access your account so long as you have your iPhone and your recovery key. Note, however, that if you lose access to two of these three items at the same time — (1) password, (2) iPhone and (3) recovery key — then you will be permanently locked out of your account. This makes sense because the whole point of two-step verification is that a bad guy might gain access to one of those three (such as your password or your iPhone) but he wouldn't have access to two of those three, let alone all three of them.
If you want to learn more, Apple has a good article with all of the nitty gritty details on two-step verification. It takes a short amount of time to configure, and it is a slight nuisance every time you log in for the first time from a new device, but I think that it is well worth it to protect your security. It has worked well for me, and if you want additional security, I recommend that you check it out.