Does that mean if my password is compromised, someone could access my e.email by connecting to the IMAP/SMTP server directly (not from ecloud), bypassing 2FA?
Would it be possible to secure the emails with an app password, for example? I feel reluctant to using e.email without a second layer of protection.
I’m not sure but I think this happens when you activate 2FA:
Enabling 2FA locks you out of every application which does not support a second input field like a 2FA TOTP. For these applications you need to create a special “application-password”. This is a seperate password which allows access to e-cloud without 2FA TOTP, but it cannot be used to login via Browser and access any settings as you need to authenticate with the real password and TOTP.
You also have a login history of your devices, so you can detect if an application you don’t know log in to your account.
Other email provider have the same problem mit IMAP, some give you the option to disable access with any other app than a browser.
I really like the service, but having the email without 2-factor authentication is very bad. It would be great if it could inherit Nextcloud 2-fa (I even use it with an hardware device, with password specific apps and so on…) but, it this is not possible, having at least the possibility of setting client specific aps just for the email part would be a good thing.