Yesterday I got a Yubico Security Key. Technically it's a dongle, but luckily I have a 2014 MacBook Pro with USB-A ports, so I don't need an additional dongle for this dongle. In Google Chrome it was fairly easy to turn on 2-step verification for my Google account and set the Yubico Security Key as my 2nd step. However, as soon as I turned on 2-step verification, I was no longer able to access Gmail in Mail app on the Mac. Unfortunately it appears that Mac Mail does not support the Security Key, at least not on High Sierra. (Although I haven't tried on Mojave, I've never heard anyone say that Mojave added this feature.) The question is, can you still use Gmail with 2-step in Mac Mail even without Security Key support?
Apple and Google seem to give conflicting information about how to use 2-step with Mail app. According to an Apple support article published August 16, 2018, "if you turned on Google’s two-step verification your Gmail account in Mail now requires the appropriate app password." Yet according to a Google support article, "If you have OSX 10.10.3 on your computer, you will no longer have to use App passwords to use 2-Step Verification." In Google Chrome I tried generating an app password for Mac Mail, but Mac Mail would not accept it. The password field in Mail app was insistent that my Google account password was required. It appears that both support articles are wrong. The Apple support article is totally wrong about macOS 10.13, and while the Google support article may be right that Mac Mail supported app passwords before OS X 10.10.3, it's wrong in implying that app passwords are optional in 10.10.3 and later, when in fact they don't appear to be supported at all in macOS 10.13.
After failing with an app password, I was finally able to figure out how to access Gmail with 2-step in Mac Mail: You have to use a backup code. On the 2-step page in your Google account, there's a section for generating backup codes for when you don't have your Security Key available. Backup codes are similar to app passwords in that each backup code can only be used on a single device. The difference is that you use an app password in place of your account password, whereas you use a backup code in addition to your account password, so it's still 2-step verification. Here's how to to make it work:
If you now login to your Google account and go to the security page, you'll see "OS X" under "Apps with account access". Success!
In conclusion, if you can avoid it, never turn on 2-step verification, because it's a giant hassle and mostly security theater.