I've been using Google's two factor authentication for a few months. It works reasonably well for the core Google App suite (gmail, calendar, contacts, etc) from a web UI if I use Chrome.
Even there, however, there are bugs. Even on machines I don't authorize for '30 day use' I sometimes connect without a request for an authenticator token. I think this is improving, but there's still no way to de-authenticate a '30 day' machine from the Google Account.
Beyond the core services though, there are lots of problems. The worst of these is Google's "Application Specific" password framework. It's the software equivalent of medical malpractice.
The problems start with the misleading name. There is nothing Application Specific about these passwords. If you write one down, or if one is captured by a keystroke logger, it works with most (all?) Google services. The same password can be used with an IMAP client to download email or with Google Chrome to sync passwords. If you know one has been lost it can be revoked, but of course by then it's too late.
The only sense in which these "additional passwords" are "application specific" is that Google has us label them by application. This is worse than worthless, it's misleading.
I find I have to use these "additional passwords" very frequently. Today, when I tried enabling Google Sync in the very latest Chrome release, I was asked for one. That was on a less-trusted machine, if a keystroke logger were running it would have been lost.
Obviously, I'm disappointed. Actually, I'm kind of appalled. This smells like a marketing maneuver. Somewhere in Google there are security people contemplating honorable seppuku.