I was facing the problem that when I enabled two factor auth, I could no longer login from my iPhone via caldav and carddav. I already found the solution (e.g. here: How to use CalDav URL with two-factor auth?).
But I did not found deeper understanding of those app passwords. There came some questions to my mind:
As I see, I cannot specify which installed app should use a newly created password. Surely, we can discuss if it would be more secure to ensure that an app password can only be used by a specific installed app, but wouldn´t this be a good idea?
In the background, can somebody give me a link or an explanation where the auth via app password is described from a security point of view? Most of all, it would be interesting how these app password than bypass the 2 factor login.
I’m too lazy to google for you but app passwords are common solution not only in NC but throughout the IT landscape - they are used to login using clients which unable to perform MFA for some reason (non-interactive, missing MFA support in protocol like IMAP).. they don’t “bypass” MFA they don’t follow this approach. the idea is you use such “single factor” password for specific applications or devices - so you can limit the attack vector from leaking this password. ideally it would be limited to specific scope but this is very basic in NC - one can e.g. prohibit file access but possible scopes are limited. at the end this a pragmatic solution to allow applications which don’t support MFA to login with NC using dedicated single factor passwords. technically this PW are not limited to but if you create one password per device you can easily lock out the device if there is any issue..