You have pure clients like https://deck.blue/

And then "soft forks" like https://deer.social/

Am I supposed to type my bluesky password into some random website?

Why would there be no 2FA options, like when using https://element.io for a homeserver?

You make an "app password" which is basically an API token.

They've recently added OAuth, but since it's pretty new, a lot of older projects haven't moved over yet.

2FA exists but only for emails right now, more to come. https://github.com/bluesky-social/social-app/issues/1071

Okay that makes sense, thanks! And yea, I meant OAuth, 2FA has really nothing to do.