[trotsky]

As an early google two step user, i've often wished those application specific passwords would bind to the first property that they're used for. From what I understand their current layered service architectures for some products makes this difficult for them to pull off.

For better or worse, google two step authentication is primarily to mitigate shared passwords, phishing and kiosk style keyloggers.

[inopinatus]

I confess I was misled by the name "application specific" into assuming that such a binding already occurred.

[hackerboos]

That's "application specific" not machine specific. I'm not sure, other than IP address, how they could tell machines apart.

[inopinatus]

I don't need them to be machine specific. What I expected was that a password issued (and immediately used) for e.g. authenticating to Gmail's IMAP service is then disqualified authorisation for any other Google service.

[samwillis]

Could they create a fingerprint of the application logging in using the request headers and user agent and watch for a grater than n% change in that fingerprint?

Obviously a hacker could just copy the applications headers...