Google's new 2-step verification process, and using it with 3rd party applications (like MarsEdit)

Date: Fri Apr 25 2014 MarsEdit »»»» Google Accounts »»»» Google

Did you turn on 2-step verification recently in your gmail account, and then see MarsEdit stop working, and groan "NOW WHAT"?  That's what I did recently, and fortunately there is a simple way to get 2-step verification to work with applications.  The issue is that most (all?) applications do not know how to do the 2-step verification process and instead fail to log you in.  By "application" I mean a non-browser application, like MarsEdit or Picasa, or I suppose some websites that do authentication against your Google Account might also fail to work.

Google in their infinite wisdom has published a video describing the new verification process, the issue with applications, and the procedure to resolve the problem.

Let's walk through the steps.

First you go to your Google Account Settings page.  In gmail (currently) if you click on your email address in the upper toolbar, it drops down a menu-thingy that includes the phrase "Account Settings".

On the Account Settings page there are links on the Overview tab - a) 2-step verification, b) Authorizing Applications & Sites

You can enable 2-step verification from the first of those links.  The benefit of 2-step verification is an added layer of security, where you get additionally verified through an SMS message sent to your cell phone.  I'm not entirely convinced this will always work as intended because for example what happens when you're traveling outside your country and maybe don't have roaming access with your normal cell phone to the local cell phone network?  Or what if you leave your cell phone at home, and need to authenticate while you're away?  In any case the verification, when your cell phone is handy, works well, because a message pops up on your phone right away with a number that you type into the entry box and you can go your merry way.

As noted this doesn't work for Applications like MarsEdit, and that's where the second link comes in.  Here you can revoke existing access grants but the important part for our immediate needs is the lower part of the page where there's a heading reading Application-Specific Passwords.

What you do is enter an Application Name, click the button, and it tells you a gobbledygook string that's the password for that application.  Google knows enough about the gobbledygook that it can recognize the application and all will be well.  The good news is you only have to do this once per application.

It's really pretty simple and it just works.