It seems that most of the people complaining about 2-step not working correctly are misinformed about how it is actually supposed to work. The others who are saying it's too inconvenient to re-authenticate every thirty days must not be very serious about the security of their Gmail accounts in the first place. If you'd like a good reason to get serious, Google the name Matt Honan and check out what all happened to him a couple weeks ago.
The worries about application specific passwords I think are a little exaggerated, these passwords do not allow account management access, so the worst I could see happening from one of these passwords being compromised is someone accessing your Gmail content with POP or IMAP. This still could be bad, but my point being, with one of these passwords alone, there is no way someone could hijack and change your Gmail account password. +Sam Kelleher if you look at the very bottom of your inbox, you'll see the words "last account activity" with a link for more details. This gives you all the information you're looking for, time of access, IP address, geographic location, as well as the type of access, such as browser, POP/IMAP, or application password. Also from there you can sign out all other sessions.
Also, these passwords do not expire, and you don't have to go a computer and update your applications every thirty days, I'm honestly confused how some of you would claim this happened to you. Actually, if you absolutely have to make the feature more convenient at the cost of a bit of security, you can just use the same application specific password for all of your applications that require them, this includes android devices. You don't actually have to create a new one every time, you can just reuse the same one over and over, and just go revoke it if you ever feel there is an issue.
Lastly, one more thing that makes 2-step verification a lot faster, easier, and more convenient, is instead of using the Google authenticator app, opt for SMS notification. This way, when you go to the site and begin to login, put in your username and password, and by the time you get your phone in your hand and turned on you're receiving an SMS with your code in it, on Android devices you can read it right out of the status bar notification and don't even have to unlock your device, much less open the app drawer, launch the app, etc.
For people that have their entire digital lives tied to their Gmail accounts, a feature like this should be a no-brainer. To me, giving my phone number to Google is a small price to pay for the benefit of added security, and the hopefully never needed account recovery options.