Thanks for adding 2FA to the web UI, this is an important step. However, I’m wondering about the current state of the API with respect to 2FA.
Please correct me if I’m wrong, but from reading the API documentation, my impression is that an adversary who obtained a valid username/password combination (e.g., through phishing) would have little reason to worry about 2FA at all, because pretty much everything can be done through API calls after obtaining a token from the login endpoint. The login endpoint is not secured by 2FA.
Is this correct? If yes, are there plans to extend the 2FA to the API login? The login endpoint might be extended so that a TOTP has to be provided for accounts where 2FA is active. For non-interactive use cases the web ui can be used to create long-term API tokens.
Cheers, and keep up the excellent work