I've just migrated to a new email company and they offer a type of 2FA I've never came across before.
Traditionally in 2FA you enter username and password then are presented with a screen asking for the generated code token. Sometimes you simply append the token to the password for times that a second page isn’t possibly, VPNs for example often use that.
The new company I'm dealing with has you create a 4 digit PIN and when you enable 2FA you no longer sign-in with your password but use PIN + token entered into the password field on the login form. The account still has a password for IMAP, SMTP, POP3 etc access.
This seems much less secure to me but I'm not sure if I'm right. My thinking is that a suitably complex password (let's say 32 characters of letters, numbers, and symbols) followed by the token which changes every 30 seconds is going to take infinitely longer to crack than a 4 digit numerical PIN combined with the same token.
In this case would it be more secure to use a suitably complex password without 2FA enabled that you change every couple of weeks than the 2FA implementation with PIN + token?
Note: The company itself both refers to this system as 2FA and OTP interchangeably, but I'm not entirely sure what the correct terminology should be.