The sucky part is that nothing enforces their app-specificness. It would be neat if I could generate a password that only works from my home connection. Or only works for GChat, but not other services.

you can't use an app specific password to login to the gmail web interface and change your password.

so while you could use a compromised application specific password to do horrible things (download all your email and send e-mail as you), you could not use that app specific password to immediately log in to the administration page for your account and lock the legitimate user out...

Really? I could have sworn I tried and it worked just like a full login. I signed up for two-factor very early so perhaps that was fixed along the way. Neat!

How would it? If the app were built to send some sort of an identifier with it... well, it might as well use oAuth and then it could use the two-factor sign in anyway.

Uh what? Google uses oAuth all over the place and in fact that is the correct solution to this problem. (I assume NIH is never-in-hell or something, can't say I've seen that before)

For example, https://developers.google.com/google-apps/gmail/oauth_overvi...

Not Invented Here.

So the app-specific passwords are single-factor authentication keys. Why not just skip the two-factor authentication altogether and use a longer password/phrase?

These are revokable, and don't allow access to change your password.