OneDrive uses 2FA, as does iCloud, Dropbox, Amazon, Box, Google and others. You'll find a useful list of which services do and don't offer 2FA at twofactorauth.org.
2FA is very effective, but it does depend on people hanging on to their devices. What happens if the nominated device for 2FA gets lost or stolen?
Protect your phones
A lost or stolen mobile phone can be the keys to a kingdom. Take an iPhone, for example: it has access to email, may use iCloud Keychain to store passwords and logins for multiple sites, may have apps whose login screens have "remember me" ticked and may be the nominated device for 2FA/MFA.
Once again, the protection is there if the user or organisation enables it. Depending on the device phones can be protected with passcodes, gestures or biometrics, and if a device is lost, misplaced or stolen we can revoke app and access authorisations or remotely lock and wipe the devices.
We don't yet know whether the stolen celebrity photos were the result of a phishing attack, a brute force attack, inside information or something else entirely, but we do know how to minimise the risk of content getting into the wrong hands. We can limit access on a need-to-know basis, sharing only what we really need to share with the people we really need to share it with. We can mandate strong, unique passwords.
We can use encryption not just to protect data in transit but to lock out anyone who shouldn't be able to access it. And we can enable two-factor authentication.
Cloud computing needn't be less secure than traditional computing, but the things that make it so compelling - the ability to access crucial data or documents from anywhere on almost any device - also make it easier for sloppy security to backfire badly.