Actually there's a better way. If you have 2-factor authentication turned on, leave it on! You're much better off, especially if a goodly proportion of your life inhabits the Googleverse. A badguy crashes into that, you are seriously boinked (see for example James Fallows on the topic).
Instead, generate an application-specific password for iCal:
- Follow the directions for setting up iCal to sync with Google up until the point where you're going to enter your Google password -- but don't yet!
- Switch to your favorite browser, and sign into Google as you normally do.
- Click your name in the upper right, and click "Account settings" from the pulldown that appears.
- Under "Security", "2-step verification" should be "on". (If it isn't, then we're on the wrong track entirely, and you should just stop here to try something else.)
- Beside"2-step verification", click the "Edit" link. That will bring you to a page that includes an "Application-specific passwords" heading.
- Click "Manage application-specific passwords", authenticate (again), and (if you like) read up on them to your heart's content -- there's even a video.
- Enter a prompt like "For iCal on my Air" in the box and click the "Generate Password" button.
- When the box appears with the new password (on my browser, it's yellow), select and copy the nonsense text that has been generated. Don't worry about copying the spaces too, they're not significant.
- Now, back in iCal Preferences | Accounts | +, paste the password into the box. That will login successfully, and away you go!
Thanks to Judson for the hint about 2-step verification, I was driving myself crazy trying to figure this out and your suggestion to turn it off is what made the lightbulb come on!