Does your server have a 2-factor option already? In Thunderbird (mozilla imap client) the options are “Normal Password”, “Encrypted Password”, “Kerberos/GSSAPI”, “NTLM”, “TLS Certificate” and “OAuth2”. None of those sound like 2-factor, but OAuth can probably be set up to require a second factor before it completes?

Your post kind of sounds like you want to create a new custom extension to the IMAP protocol to exchange two passwords. This seems like an odd choice, because no other IMAP client would support it. I think it would be much better to look at what IMAP already supports with OAuth2.