I'm not sure how 2-step authentication works on iPhones. But on Android, the only way to get past a 2-way authentication is if the thief has your phone. At which point, a lost phone is the least of your problem. All your data and online accounts are vulnerable. Which is why I don't do any banking activities on my phone.
I enabled 2-factor authentication half way through this horror story - http/www.wired.com/2012/08/apple-amazon-mat-honan-hacking/. It's a bit of a pain, but boy it's reassuring.