Researchers from two-factor authentication provider Duo Security found a loophole in Google's authentication system that allowed them to bypass the company's 2-step login verification by abusing the unique passwords used to connect individual applications to Google accounts. According to the Duo Security researchers, Google fixed the flaw on Feb. 21, but the incident highlights the fact that Google's application-specific passwords don't provide granular control over account data.