I had been thinking about activating 2 FA but realized that if I want to use email on my phone, the account would still have a password (called an Application Specific Password.) Which to me, could possibly no better than what I have now.
But, if the ASP is highly limited from accessing anything but the page you are logging into (like Gmail), then it might be more acceptable to me. Earlier this year, there was an issue discovered on this exact possibility. »blog.duosecurity.com/2013/02/byp···ication/
(There may be an earlier thread about this on this board but I wanted to get renewed interest/fresh answers.)
This article says the loophole is fixed. Has anyone really tested it? If you are a Google 2 FA user, are there any quirks/problems?