Let's say that you've setup Google's Two Step Verification. Let us say for example that you're using Microsoft Office Outlook for your Gmail email. In order for this application to work, it will require an application specific password, so you create one and use that as the "password" in Microsoft Office Outlook. That password will never expire unless you modifiy Google's Two Step Verification in some way. For example, you turn it off or you decide that you no longer want to use Microsoft Office Outlook to read your Gmail email therefore you delete the application specific password because it's redudant.
Carrying on, let's say you go to a friends house and you ask him if you can use his computer to check your Gmail account for new emails. Once you go to Gmail and enter your email address and password, you will be redirected to a "verficiation" page where it will request you to enter in your "authentication code" which is generated with your phone. After entering in the "authentication code" you have an option to save that code for 30 days so that you don't have to enter it each time you login to your Gmail account on your computer. However, because you're at your friends house you de-select that option so because it is not your home computer.
Application specific passwords can only be used with applications, here are some examples.
- Mail on iOS
- Setting up an Android device with your Gmail account
- Google Talk for Windows/Other IM Clients
- Gmail Notifier Applications
Authentication codes can only be used when logging into Gmail on a browser.
You are not able to use an application specific password to login to Gmail on a browser.
Hopefully this clears up your confusion.
Honestly, it really isn't a pain to use. You setup the passwords for applications once, and as long as you don't "turn off" Two Step Verification none of the "application specific passwords" will need to be changed.
You could change your Gmail password if you wanted to and all your devices using an "application specific password" would not need to be updated. You make the passwords once, and they last for as long as you are using Two Step Verficiation.