Yes. 2-factor authentication does not address site impersonation.

This is for the more common case of trying to access a user's account without the user's direct involvement. (e.g., if I grabbed lists of common passwords, try to use your password from a cracked site to access an account on google, etc.).

Classify this as "step forward" not "silver bullet".

kb

Except they specifically list anti-phishing as one of the use-cases:

"if you reuse the same password on multiple sites and one of those sites gets hacked, or your password is conned out of you directly through a phishing scam, it can be used to access some of your most closely-held information."

You're right that it helps in cases where all the attacker has is your username and password. However, the blog post overstates the merits of this feature a little bit. ;)

I don't think 2-factor auth as proposed by Google is designed to prevent man-in-the-middle attacks: http://www.phonefactor.com/man-in-the-middle-attacks

In order to prevent MITM, Google would need to have out-of-band verification (not just two tokens processed on the same band).

The benefit of Google's method is that a password can't be cached for later use, which reduces the window in which an account can be compromised.

How is this any different than the prior situation?

Now instead of needing to trick a user into giving you their username and password, you need to trick them into giving you their username, password, and one-time token.

It's designed to address situations where the password is discovered by other parties.

The attacker would have access only for that session.

You have access until the session times out, then you'll need to make the attack again.

Granted, you can do a lot of damage before the timeout, but it's not quite as "game over" as if you got the password of a one-key system.

But there is no way to get a valid certificate for gmail.com, and people will notice!

Yeah, </sarcasm>. But it's still a big improvement.