Hi,
Just enabled 2-step verification for my Google account. I have installed Google Authenticator on my Android phone, and I set up an application specific password for the Google account associated on my phone.
This works great when just using installed apps like Gmail, Calendar and Google Reader.
But if I want to access Google Docs, Google Tasks or any other website that requires a Google login, I don't seem to be able to use a application specific password. I have to use my real password and then use Google Authenticator to make a code for the next step.
This means if my phone is stolen, revoking the password to my phone is pointless. The phone have already been verified, and all that is needed is my password, which the phones browser will have remembered.
I realize that I can take measures to ensure the phones browser doesn't remember my password, but that's just not convenient at all.
Am I missing something, or is there no elegant solution to this? Should I just let my phone know my real password?
As I see it, being able to login with application specific passwords on websites (which apparently isn't possible) is the only way I can revoke my phones access in a meaningful way.