Works just fine. You generate a password in Google's account settings to be used with certain apps that do not support 2-step authentication. This password is very long and complex and given to an app as the password. It's not single use per-se, but you can generate new one when/if you want.
Well, it's effectively single-use as there's no way to re-access the generated password - once it's generated, Google displays it only once to be input and saved, and that's it. Unless you write it down somewhere, you can't see that password ever again. I suppose there's still the slight chance that it could be brute-forced, but that is minor and it would only allow access to view your account via something other than a web browser (smartphone app, Thunderbird, Outlook, etc) and no access to your account settings. While someone could read your email, they couldn't send without your knowledge nor change anything, making it pretty obvious if anyone was doing anything untoward other than simply reading activity.
Thus far, I'm pretty impressed with how sleek this is. I can link to my account from authenticator apps on both my work BlackBerry and personal Android phones, still access email through those devices, and still link it to Thunderbird on my desktop system, while benefitting from the additional security afforded by two-factor authentication. There's really no hassle involved beyond the 5 minutes it takes to set up.
I do find it a little amusing that people are disparaging two-factor authentication while simultaneously extolling the virtues of KeePass - it's mere presence on a system is a gigantic, singular target. Personally, I embed a text file in a TrueCrypt-encrypted volume. Not only does it support better encryption and a plausible-deniability system, but it also supports two-factor authentication via keyfiles. Dedicated password managers, even excellent open-source ones like KeePass, are a gigantic "TARGET THIS TO CAUSE MAYHEM!" banner ad in the event your system is ever compromised. Especially with a keylogger.
