>This also means that you're not entering the password which can do all of those things on a daily basis,
Before two-factor, were you really typing in your GMail password on a daily basis?
I mean, I certainly don't deny that two-factor is much safer if you can actually use it, like on the GMail site. I just worry about the big holes that application passwords punch in that wall. All it takes is one application sending your password in non-SSL when you are connected to an insecure wi-ifi, and you are hosed. Is every Google login for every service SSL only?
Exactly. Let me know if you find an answer to this.
I have a policy where I will only add a generated application-specific password to really trusted applications (internal OS apps mail, calendar etc), and have gone as far as to sniff all traffic for each of these apps.
Before two-factor, were you really typing in your GMail password on a daily basis?
I mean, I certainly don't deny that two-factor is much safer if you can actually use it, like on the GMail site. I just worry about the big holes that application passwords punch in that wall. All it takes is one application sending your password in non-SSL when you are connected to an insecure wi-ifi, and you are hosed. Is every Google login for every service SSL only?