Enabling webdav does compromise the 2FA enabled accounts because there are all files accessible without the second challenge… for example in Zimbra this
problem is solved with the possibility to create for every application that is not supporting 2fa a passcode… with this possibility I have a separate passcode for every connected device or program.
User wants to login use case:
2FA is great because the user can use a one-time password for improved security.
Application A wants to login use case:
App A cannot store credentials and have to give 2FA token at each logins. 2FA is impractical.
Application B wants to login use case:
App B may have more than 30s between the moment the user can input the 2FA token and the token is sent. The token has expired. 2FA is unusable.
@mulmer app passwords are not meant to replace user’s password/2fa logins, The purpose of app passwords is to allow users to authenticate when 2fa is impossible/impractical to use. It’s an alternative to 2fa.
Is this being considered at all? WebDAV may be ancient but it’s such a standard, I find greatly useful to have for various integrations but we can’t deny it’s a major security hole without some sort of passcode functionality.
I was not able to connect to WebDAV as a user with 2FA. So I guess it is protected. Would it be possible to have a WebDAV directory that is not protected by 2FA so apps can use that sub-direcotry? At the moment I created another user without 2FA to provide WebDAV but that is far from ideal.