If you manage a website or web app that sends emails as part of its functionality, i.e. sends “forgot password” links or contact form submissions, you need to think about how to send these emails without jeopardizing your security. If yours is a simple web app that doesn’t send a large volume of emails, and therefore doesn’t require the services of an email delivery platform like MailChimp or SendGrid, then sending emails through your Gmail account is probably sufficient.
However, you won’t want to hand your own Google password over to the developer you are working with, or have it live within the code-base (you also probably don't want to change the password within the app or website each time you change your personal password). Thankfully for Google Apps users, there is a secure way to generate passwords that are specific to an app or website, and different from your personal Gmail account password.
Follow these steps:
The Admin must log in and, under "Security, Basic settings", click “Allow users to turn on 2-step verification”. Then, click “Save."
The User can then log in and, within "My Account, Sign-in & Security", click “2-Step Verification”. Heads up: Originally, I was unaware of step 1 and, amazingly, Google doesn’t offer any error message. This resulted in me entering my password several times without being prompted to contact the Admin and complete step 1.
After 2-step verification is set up, click into "App Password" (right under "2-Step Verification") then within the Select App dropdown, select "Other (Custom name)". Give the app a name, and generate a unique password for it!