Security is always a battle between Connivance and security.

The more convenient something is the more skeptical you should be. I personally use a YubiKey and Lastpass.

Slashdot reported that an anonymous reader wrote in the following.

"The team at Duo Security figured out how to bypass Google's two-factor authentication, abusing Google's application-specific passwords. Curiously, this means that application-specific passwords are actually more powerful than users' regular passwords, as they can be used to disable the second factor entirely to gain control of an account. Duo [publicly released this exploit Monday] after Google fixed this last week — seven months after initially replying that this was expected behavior!"