Absolutely missing the point
As I have said before, 2FA is not needed to improve email security.
2FA merely ensures that people now run around with tokens and are no longer really online - email already has all the mechanisms required to properly protect it if. you. have. actually. a. clue. what. you. are. doing.
Of course, implementing 2FA as a solution will make a consultancy a solid lump of money, just as the National ID card thing did. And just like the National ID card
scam, sorry, scheme it will not deliver. I know of quite a number of people who tried, for instance, ProtonMail which is technically a beautiful solution, but they gave up in weeks because of the usability factor.
That said, these are presumably the same people who had parliament.uk running through MessageLabs where even a cursory assessment would have shown that one of the servers was actually based in the US so please don't tell me they know what they're doing. If they want thoroughness and really *fix* the problem, they're not quite there yet. Going public with an idea that works for logins but at best only for webmail is, umm, not a good signal to those in the know, so I look forward to this getting handed to <fill in current favourite consultancy who have must talked them into this> and see end users who can barely operate a phone go effectively offline as a result.
Which, I guess, is one way to make it more secure in the same way that a strong laxative will fix a persistent cough (you daren't).
Meanwhile, my sales@(not going to tell you) account still has "password" as password. Despite dictionary attacks it still has not been breached, and I think we're coming up to 3 years now. New technology required to make that happen: none. No, seriously, none. And yes, I do get spam that then gets filtered out, but a login breach? Nope.
Dammit, that's my rant quota gone for the month.