I use app specific passwords for my IMAP and CalDav accounts on zoho. I also have multi-factor login enabled. However, I can still add another app just using my own password and get notifications that logins have occurred from other locations fairly regularly. 

I assumed that if I set up app-specific passwords, it wouldn't let apps without an app-specific password log in. What am I missing here?