Is there anything google gets out of this? eg is there a potential for a back door? Session stealing? I understand the real enhancement inherent in a two-factor auth, but this particular third party automatically raises doubts.

Something tells me to beware any "help" from google. I'll keep using my ssh keys...