When using Google's two-step verification with services that can't use it, such as mail clients on smartphones and desktops, the solution is to create application-specific passwords for those services.
Does that make things less secure than just using one password as this opens up the account to more that one password?
Google's application specific passwords are random and quite long. Those passwords don't occur in any dictionary and cannot be brute forced. So, they are very strong, typically stronger than any password chosen by humans.
Using different passwords for different applications usually increases security. Since, if a password is leaked for one application it cannot be used for another appliation.
