Just one foot note (as I have just taken my own advice and turned it on). Suddenly I couldn't push/pull through the git command line access as it would not accept my password.
If you need to store a personal access token in order to pull or push to your own repos, how is two-factor auth any better than a normal account with a secure (ie reasonably long, unique, randomly generated) password?
I use 2FA with GMail and the same question could be asked. The answer is that an application password does not have admin rights to the account. It can be revoked at any time. It traces the breach directly back to a particular application. They are not meant to be memorized but rather to be set and remembered in a particular application which means they can be extremely complex and are by default. I have to think that at least some of this is applicable to GitHub's 2FA.
Your points are good ones for something like GMail (where a single account allows access to many Google services and includes a potentially huge trove of other private data).
For github though, the the repos you have read (or commit if vandalism is the risk) access to are the data in question, so unless you use your github account for other things, I'm still not really seeing the benefit to the end user if you still have to store OAuth tokens everywhere you actually use git.
Can github issue OAuth tokens that are restricted to a specific repo? At least that would prevent a token leak exposing other repos that you had access to.
Took me a bit to work it out but you need to go here https://github.com/settings/applications and create personal access tokens.