Wondering if « device token » voids two factors security


I have enabled two-factors authentication on my Nextcloud instance. Everything works ok using the web interface and the NC client.

But when it comes to accessing CalDAV etc, I configured device tokens ; because of TOTP client-incompatibility. Like said in the docs.

As far as I could understand it, using the username/token, an application can read/write my whole files. I couldn’t find an option to say (for example) « this token can only manage calendars ». And I can use the same token for iCal, iContacts and even rclone/webdav ; which should get various access rights.

If this is correct, I wonder if using « device token » lowers the security of the whole instance. If token are « harder » because they are 29 characters long, then I could simply use a single 29 chars long password for login the the Web UI and configure my third-party apps.

I must be missing something. Maybe there’s an option to configure specifics rights to App tokens?

Any thoughts?
Thank you.

Yes, you’re right. Currently no options exists to restrict app password access to specific data. I personally prefer to set-up inidividual app passwords per application because this allows you to identify the application which has last accessed your account/data.

1 Like

Ok. Thanks a lot.