There's no need to install more spyware, thanks.
The starting issue is that email retrieval is typically automated. Your device polls frequently (or gets a push message), and for that to work it needs a password - one that you must make as difficult as possible, because it's used quite often. In this context, being asked for an additional manual password every 5 minutes will make you abandon that idea in, hmm, 30 minutes or so, so you automate a second authentication stream and that's where the problem starts.
Changing that mechanism means you're venturing outside RFC domain into the sort of proprietary places when the likes of Google, Microsoft et all would LOVE you to be because it would this pesky habit of people to also use other facilities that do not contribute to the great God of Profit and would, instead, empower The Evil Of Honest Competition.
If the mechanism is left open to follow, for instance, Time based OTP as provided by practically any OTP app such as Google Authenticator and many others, maybe there is scope for wider adoption, but before you engage in all that hassle, here's a tiny problem:
You. do. not. need. it.
I have a few test email accounts that genuinely have the account password "password", and have had it for years because I'm proving a point. You will not get in, yet those accounts are all polled with a frequency somewhere between 5 and 15 minutes from three separate devices. They also get dictionary attacks, which bounce. If you really KNOW about email, dictionary attacks are trivial to prevent, even from the sort of distributed botnets that are used to prevent triggering things like fail2ban. There is a time and place for 2FA, but it's not for picking up IMAP or sending SMTP.
But hey, let's just install yet another bit of spyware..
Biting the hand that feeds IT
