The "App Password" is needed if you use a mobile application like the WordPress for Android or iPhone.
In 2-factor authentication, you use your normal password and the numeric password from the device. However, if you use the mobile applications, they have no way to input that second password. So using the plugin will, by default, make those mobile application logins fail.
Google 2-factor authentication supports setting up a password on a per-application basis. You can go to your google accounts screen and create those passwords, then copy them down somewhere and use them to login for apps that don't support the 2nd factor. In this case, you would enable the app password, create an app password specifically for mobile use on your blog, and then copy it in this field.
Doing this effectively disables the 2-factor authentication for the mobile device apps like WordPress for Android and iPhone (or anything using XMLRPC, in fact). However, if you later want to cut off all access via that route, you can just go to Google accounts and immediately invalidate that password, and thus the mobile apps will be cut off. So this is still slightly more secure by giving you that cutoff point.