Security questions are a form of additional-to-password security (meaning, information required beyond the password) that links (usually) a rotating list of relatively common questions where the answers would be something memorable to the user. Common questions include prompts about pets, street names, family questions, and favorites. In theory, they provide additional security beyond the password in a way that can be common to multiple accounts but be personal enough to provide security while still being easy to recall for the user (even after months of not using the account).
In practice however, some questions/answers are harder to recall than others and there is a major security flaw that many of the questions can be answered by a) folks who follow you on social media (or hackers who have your data), especially for questions where you might post answers to them [such as following your mom on Facebook and her maiden name being part of her profile], and b) folks who know you fairly well (family members, good friends, but also potentially exes and estranged parents, etc).
To counteract both of these issues (recall and easy-to-find information) it is recommended that you do not answer them honestly. Either create fictional answers that can be recalled [you could potentially use a fictional source for this, though maybe using Harry Potter's information to answer is a little too guessable] or use a "password" to answer them. Alternatively, use information from your own life but that is not directly an answer to the question but can be associated with it (rather than your first/last pet, etc, maybe just pick a memorable pet from your past but one you do not talk about much online, or a favorite toy growing up, etc).
See also:
Two-Factor Authentication (also called multi-factor authentication, 2FA, and a number of things by various sites/accounts) is using a secondary channel to verify your access to the account. This can be digital (such as receiving a code via text, email, or app) or physical (such as requiring a card-reader or other USB device to be connected before continuing). For most online accounts for most users, you will see the digital options more readily. Some accounts will automatically email you an authorization code to log-in if it detects a "new" browser or it has been some time since your last access. Others require set-up to get 2FA.
Common methods of 2FA that you might see on your accounts (listed roughly from least secure to most secure) are
Different sites/accounts have different ways of handling it, so it is impossible to list them all, here, but there are sites like TwoFactorAuth.org that list many common websites and give links to set-up information.
2FA is sometimes touted as being an answer to issues that plague security questions (and password-based security in general). And it can help a number of security problems. There are, of course, issues. If your email uses the same password as your account being hacked, or if your email is compromised first, then having codes sent to your email does not stop any attempt at hacking. Texts are harder to spoof, but there are ways to clone SIM cards or to intercept texts. Both texts and the app based 2FA require you to have access to your phone and could lead to issues if your phone is lost or otherwise compromised.
Should you use it? Probably. At least on those accounts that are of particular importance to you and/or would result in notable damages if you lost them (email, bank accounts, important accounts to you such as gaming sites, etc). It is good to at least familiarize yourself with the concepts about what is available though with the caveat that knowing what security options are available are not much help if you wait until after your account is compromised to implement them. Identify the most important accounts and try it there and if you are amiable to the workflow it requires, then expand to accounts of lesser importance.
See Also: