I have tried to find an answer in help and in older fori topics, but no success.
If I setup FIDO2 authentication, is the FIDO key only needed when I access my account through a web-browser (with access to security settings, etc.), or is it also needed when a nextcloud app (e.g. the nextcloud app for macos or iOS) is accessing or synchronizing the files on the nextcloud ?
No, for these you can set up app passwords (that do not change and do not require a second factor). For the official apps, they do a login workflow, meaning on the first use, you login via a browser, and the app creates an app password itself.
Very much appreciate. It wasn’t obvious.
Now, wouldn’t this mean that access through the apps is (in this case) less secure than access through the browser/FIDO key ? Or is it assumed that the “in-app-created” passwords are inherently secure since they are never exposed ?
They have a randomly created password that is very long. So the typical dictionary attacks, common passwords etc. that often apply for user created passwords, do not work. And only the application knows the password, well it could some way expose the password.