I know the OP said they had resoled this on their own, but for public sake i wanted to document the process:
So the way to circumvent this while retaining 2FA on your account is to generate
Application Passwords which allow access without triggering the TOTP dance.
Once you've generated the app password and entered it into your app (Dekko, Thunderbird, Etc.) you should have the same browser login experience with 2FA, and your apps should be able to function securely. Note: that those app passwords are scoped to the entirety of your google account and should be protected just like any other account password.
Best of luck, cheers