The blog post says that both APIs will be getting OAuth 2.0, though. If iOS doesn't support that protocol for CardDAV, doesn't that mean that this may actually break it?

I wouldn't be surprised if they require OAuth2, but I'm guessing they'll grandfather in clients with lots of users (like Apple), until they can switch over.

I've suspected for a while that their issue with CalDAV was security. Currently you need to store a plaintext copy of the user's password to do caldav. The only copy of my google password in my iOS keychain is for caldav. Since Google Authenticator stores its key in the same keychain, both auth factors are there.

I'd kinda wished they'd propose fixes for caldav, rather than just drop it. Now it sounds like they're doing that.

I know that Google Authenticator supports application-specific passwords for applications that don't support OAuth 2.0, but I'm not familiar with Google's use of application-specific passwords outside of the context of Google Authenticator.

Perhaps that could be enabled for all users regardless of 2FA activation, and be made available for use with these and other applicable APIs?

Actually, application-specific passwords have nothing to do with Google Authenticator. Authenticator is only for the two-factor code. Application-specific passwords are just individual passwords you can set up for anything that doesn't support the two-factor authenticator login.

Just so you don't have to share the same password with multiple products.

Good point. I wish the "application-specific" passwords could be tied to a particular service. (I think they just act as a global password.) But I should switch my caldav config over to one anyway.