If they know my master password, they also need to have a phone, that is correct. But if they know a single application specific password, they can read my mail just fine. How does the two-factor authentication protect me in this case?