[dudus]

I think the fact you can't generate an app password without a 2FA is because it never made sense. You would be better off just logging into your account directly. Now that you can't do that it makes sense. I'd file that as a FR.

One point is that app passwords can be a security issue in itself. If you have one the security page on Google alerts you with a big flashy yellow exclamation point and recommend you you to remove it. I did it, broke my email and took a few days to connect the dots, recreate a new app password and setup email again.

I think the problem they have is that mail clients don't do oAuth. So you always have that security weak link if you need IMAP/pop access.