When it comes to authentication, not all services are born equal; for some services, the user needs to authenticate once and he then can work for an unlimited amount of time, while with other services, authentication is needed for each transaction.
In the first category, there is SSH, VPN, databases, most of the web systems, login to Windows (Samba), Linux or Mac OS X…
In the second category, there is mostly the services related to email: IMAP, POP3 and SMTP (each of them, native or over SSL). When using IMAP client, the client authenticates with the server to retrieve the list of new messages, then it authenticates for each message the user wants to read, then every 10 minutes to find new messages. Same thing with POP. When sending a message via SMTP, authentication is made with each new message. It is not realistic to ask the user for a new token each time. So these services need to be proxied, to keep the connection with the server opened all the time, even if the client disconnects. I have found up-imapproxy that does the proxy for IMAP (without SSL), but not solution yet for POP3 or SMTP (a quick test shows that even SMTP could send several different messages, to several different recipients, inside one single authentication/connection).
Good security should be applied everywhere it is relevant. There is no point in using 2FA in one place and not the other, as long as the services in the second category cannot be included, 2FA will not offer the completely fool proof solution we can expect.
Any idea on that?