To enable two factor authentication set g_pass_twofactor “true” then the users can enable two factor authentication in their user self admin interface:
https://your.mail.server/cgi/user.cgi
The user can then specify what level of two factor authentication they wish, as imap smtp and pop were never intended to use this type of authentication it only works really well for surgeweb logins. But it can still add a layer of security for the others as well.
The user.cgi page allows users to also create or delete application passwords for legacy applications (normal desktop email clients).
Alternatively the setting g_pass_twofactor_merged "true", can be used, then the user logs into legacy applications with their regular password+twofactorcode. So lets say your password is 'secret' and your 2fa app was showing code '1232", you would enter "secret+1232" as your password, it would then work as normal for a few hours, and then it would require the password to be entered again.
Lets be blunt, legacy applications (all normal email clients) are not designed to be used with two factor authentication, so it's a question of 'which cludge do you wish to use'. Both are much more secure than not having 2 factor authentication, but not nearly as secure as true 2fa. And both add a level of inconvenience.