TL;DR – An attacker can bypass Google’s two-step login verification, reset a user’s master password, and otherwise gain full account control, simply by capturing a user’s application-specific password (ASP).

via Bypassing Google’s Two-Factor Authentication – Blog · Duo Security.

Also From:  Google Security Vulnerability Allowed Two-Step Verification Bypass – Dark Reading.

A successful attack would require first stealing a user’s ASP, which could theoretically be accomplished via malware or a phishing attack.