I think the issue really is broader than just what authentication method is used. That incident demonstrated a cavalcade of fail, both on the part of the user and the companies involved. From the weak verification methods used by Apple to recover an account, to the fact that the user had software installed to "find" his various Apple devices, including his desktop, and that software allows you to remotely wipe them with no additional authentication required.

Regardless, the simple reality is that the more complex you make any authentication scheme, the less likely it will be used. And ultimately, the real weak link in the chain was a human being: an Apple employee who granted access to his account even though the person making the request could not answer the "secret" questions.

I don't care how many authentication steps you add or what security devices you use, nothing will protect you from the abject stupidity of another human being who has access and control over your data. And that's exactly what the situation is when you drink the Kool-Aid and put everything in "the cloud". You are abdicating responsibility for your data to a third-party over whom you have no direct control and no ability to verify that they even follow the very policies they claim will protect your information.