It doesn't have anything to do with XSS or SQLI, quite right. But in his intro he dismisses two-factor auth as some sort of advanced security technique when in reality I think two-factor auth is a quite simple way to dramatically improve security.
Like I said elsewhere, that's a major cost/benefit calculation in terms of both real cost and user experience/conversion rate cost. If it makes sense for your app, do it, but it's not part of the basics, at least not yet.
