Agreed on the two-factor auth bit: their implementation seems a bit wacky. (At least, their Google Authenticator TOTP implementation. It seemed like their Yubikey implementation was pretty good, but I don't have a Yubikey.)
However, their "alternative login" thing is pretty useful. I have separate (completely random) passwords for the IMAP sync for my phone and work machine, so I can revoke those at any time without touching the master password. In some sense, that setup is similar to the one Google has for two-factor auth and service-specific passwords.
Indeed. And the 'regular' alternative logins do have _somewhat_ limited access, but to be usable for pop/imap/smtp they have to be of type 'full access'.
'full access' regular logins can do _everything_ but modify other alternative logins. If you happen to have domain admin rights added to your login (eg. not the main domain admin account), regular logins can even do that!
I would probably pay double for an "imap/smtp only login" feature. ;)
However, their "alternative login" thing is pretty useful. I have separate (completely random) passwords for the IMAP sync for my phone and work machine, so I can revoke those at any time without touching the master password. In some sense, that setup is similar to the one Google has for two-factor auth and service-specific passwords.