1. RFC 7628 OAUTHBEARER. Basically your IMAP client has to have a way to obtain OAUTH tokens (e.g. spawn a web browser window first time you log in, that authenticates because it's a web browser, then get it to give you an OAUTH token) and it binds that token to your IMAP login as proof of who you are. Google also supports a non-standard older way to do this. Cheesy "my first IMAP implementation" code can't do this, but several Free Software mail clients do.
2. User goes into Google's security settings, says they agree to suffer worse security, gets "app password" minted by Google, fills that into the IMAP client. They can't use their "real" password which is presumably "password1" so the Pwned list doesn't work on this but it's not great.
But if you never set up any 2FA then it really wouldn't matter. Google's answer for their own employees was just to issue them FIDO Security Keys and mandate 2FA, and that's certainly what I'd endorse if you have money and want security, but their medium term plan is to enforce 2FA setup for users who seem to own e.g. a smartphone.
1. RFC 7628 OAUTHBEARER. Basically your IMAP client has to have a way to obtain OAUTH tokens (e.g. spawn a web browser window first time you log in, that authenticates because it's a web browser, then get it to give you an OAUTH token) and it binds that token to your IMAP login as proof of who you are. Google also supports a non-standard older way to do this. Cheesy "my first IMAP implementation" code can't do this, but several Free Software mail clients do.
2. User goes into Google's security settings, says they agree to suffer worse security, gets "app password" minted by Google, fills that into the IMAP client. They can't use their "real" password which is presumably "password1" so the Pwned list doesn't work on this but it's not great.
But if you never set up any 2FA then it really wouldn't matter. Google's answer for their own employees was just to issue them FIDO Security Keys and mandate 2FA, and that's certainly what I'd endorse if you have money and want security, but their medium term plan is to enforce 2FA setup for users who seem to own e.g. a smartphone.