IMAP protocol as well email clients do not support second factor authentication for the mailboxes. Even if they did, IMAP connections are made way too often which would make authentication unusable. Imagine needing to enter your TOTP token every few minutes.
We could enable 2FA on the webmail, but IMAP/POP/SMTP accesses remain unprotected which beats the purpose. We are working on solution here which will allow sand-boxing a username/password pair to a webmail use only.
We do offer so called App-specific passwords via mailbox identities though. These are commonly touted by email providers as 2FA. They are not.
Imap doesnt support 2fa.