I recently wrote a likealot about Google's attempt of making Google Accounts more secure by introducing 2-step verification.
After having had this enabled for some time, I am now ready to present you my experiences, both from a personal as well as from a professional perspective.
At first I was close to getting annoyed of having to grab my phone, almost every time I logged in to my Google Account. But after having logged in once to each one of my Google Accounts from each one of my browsers on each one of my computers, it stopped bugging me all the time (doh!) and now it only asks me to enter the verification code every 30 days (per browser/account/computer of course).
And it feels a lot more safe!
So that's the good part. It really does feel a lot more safe for those apps that are ready to present the question for a verification code.
Over to the "Application Specific Password" as they call it. The fallback solution for apps that are not ready (yet) to ask for a verification code. For some of those I am near to thinking that perhaps it makes things a bit less secure. First of all, the application specific password is quite long, but only consists of lowercase letters - and always has the same length - making them generally easier to guess in a brute-force attack than a user-password.
Then, these passwords aren't that specific to one application as one might wish for. I use one on the Google Analytics API for example, in an application that periodically retrieves the latest analytics data and stores it in a database for display and usage elsewhere. Of course, the file where that password is stored in is saved securely on the server - but if the server would get compromised without me noticing it the same password could be used to retreive my email.
Luckily, such passwords cannot be used to change any account data. At least not for as far as I know.
What I would like to see is that either such passwords would become truly application specific - and that the fingerprint of the application gets somehow embedded in the password. Or that further restrictions can be set on app-specific passwords, either or both in which type of data can be accessed (mail, GA-data, etc..) or from which IP address(es) the password can be used.
Another thing that becomes rather tedious is managing Google Acccounts used on my Android Phone (Xperia X10 mini pro). I tend to travel a bit, and when I do I generally use a local SIM-card in my Android phone and have my primary card in a backup phone. But every time I change SIM-cards it forgets the login data and I'd have to enter a new application specific password.
One app in which the 2-step verification becomes simply annoying is the Google Appengine. Every time I update the apps I have running on there, I'd have to enter my application specific password. Well, not every time as it does store the credentials in a cookie - but still rather often.
Despite the annoyances and doubts that come from the application specific passwords, I still can't do other than give the 2 step verification process 4 stars. It does provide extra security on Google Accounts. For the extra star, Google would need to improve security on application specific passwords.
For me to feel completely secure, I would like Google to delay giving feedback on if the user-password was correct until after entering the verification code.This would make brute-force password guessing even more difficult.