1. During initial authentication you are required to enter a full access password, the Authenticator token won't work. (Laughably, Google calls these 'application-specific' passwords. That's a lie. I wish they'd stop repeating it.) This defeats the value of the Authenticator's keystroke-logger protection.
2. You can't use your Google account authentication to encrypt your sync store. Maybe it uses the 'application specific password'. When I try this, Sync hangs - but tells me it has succeeded. Using a separate sync password works.
There are lots of similar bugs with use of two-factor. It's really not finished; I wonder if it's one of the projects that Page has terminated. I still use it, but I don't recommend it to anyone else. The illusion of security may be worse than no security.