[abraham]

Simply stealing your phone isn't enough. They also need to know your password change 2-step settings.

[mbrubeck]

So you also need to make sure that your phone's browser doesn't have your Google password stored, and/or your phone's storage is encrypted with a strong-enough key.

[trentmb]

Google has made me re-enter my password when modifying 2fa settings.

[eli]

Sure, but if it's saved in the browser than it can be extracted from the browser

[founder6564]

Last I checked, this was not the case- And a major cause for concern.

[abraham]

Everytime I go to https://www.google.com/settings/security and click on 2-step verification, I'm required to enter my password if I haven't done so in the last 5 min or so.