After having my account frozen for "questionable activity" a couple of times, I set up this 2-step authentication and haven't had any issues since.

While it is not fool-proof, it is better than just a password. I've even had my phone ring and give me a verification code that I didn't request which leads me to believe somebody got my password but still could not get in. Needless to say, I changed the password after that.

I don't see a mention about the Application Codes, passwords that can be used by native clients like Thunderbird, that can only be used to access application, like Thunderbird, but not through your browser or into your settings. These codes are easy to get and easy to revoke when logged into your Dashboard with 2-step authentication. The trick is to record them somewhere because once generated, you can't pull it up again afterwards.