Two-factor authentication is great--except when it isn't.
Most times, when you have two-factor authentication enabled and you try to access your account from another device, you'll be asked to verify your identity, through a unique code sent to your cell phone via SMS, email, or a dedicated two-factor authentication app like Google Authenticator or Authy.
Owen Williams of The Next Web discovered that even when he had trusted devices on hand to verify his identity when his Apple ID appeared to be locked, he couldn't reset the account. He needed the two-factor recovery key generated (long ago) when setting up two-factor authentication. But he couldn't find it--whoops!--and could've lost access to all of his purchased apps and content bought through that one Apple ID over the years.
It's easy to blame Williams for misplacing his recovery key (he eventually found it, thankfully, by digging through Time Machine backups), but I think Apple needs to be clearer about how its two-factor authentication works. The "lost recovery key" instructions from Apple say if you still have access to one of your trusted devices, you can create a new key.
That's not the case, though, if a hacker tries to get into your account and after multiple attempts, your account gets locked through no fault of your own. In that scenario you need that recovery key and if you can't find it, there's no backup plan. (Hackers locking your account isn't as uncommon a possibility as you might think; all they have to do is continually try to brute force accounts.)
Long story short: Protect that recovery key; don't think you can rely on just one of your trusted devices to get back into your account. Print it out and save it in a safe place. Lifehacker has instructions for replacing your lost key--but you have to do it while you still have access to your account. Brb, heading to my Apple ID page.