Re: Email != Webmail
I access my gmail over imap and I have 2FA enabled.
Yes, that's because the IMAP protocol is tacked on to a web-based email service. Pure IMAP has no facility to provide 2FA.
You don't access email over SMTP
No, my bad, I meant POP3. However, if a server is using POP-before-SMTP, then it is possible to enumerate logins over SMTP.
MAPI is a programming interface.
Not just a programming interface, MAPI/RPC is the protocol used by older Outlook clients to talk to Exchange servers.
EAS can be secured using certificates thereby making the device the something you have.
a certificate is NOT 2FA, it's too easy to proxy.