If this is an effective workaround why is it useful to disable the feature in the first place. It seems like a 16 digit password this is actually much less secure than the current state of affairs.

It's probably not much worth exploring because I'm also having to migrate off of legacy google apps for your domain as well.

Oh, so you still support application specific passwords. I couldn't find them when I last looked, or maybe it was because applications just moved to the OAuth2 model and didn't offer the option. I'm pretty sure Thunderbird's calendar extension doesn't.

I didn't ever understand why Google allowed you to enter a password into a random piece of software. In fact I'm still somewhat perplexed by them letting you enter it into a browser, but I guess they could be using the browser DRM module to get some assurance they are dealing with software they can trust.

I guess it's just too hard to make move everything to hardware security tokens. Nonetheless, I don't see an choice in the long term - physical security tokens that don't allow firmware upgrades is where we must end up.