Test using the REST API w/ Gutenberg (cookie auth), and also using another auth method (like Basic Auth with Insomnia). Also test XML-RPC w/ Jetpack and/or the WP mobile app.
How does 2fa affect those? It'll probably break, even when using an app password work:
https://github.com/WordPress/two-factor/blob/2a61cd1d2ea6e89428d7b525a0c02b46262fbf5e/class-two-factor-core.php#L462-L481
https://github.com/WordPress/wordpress-develop/blob/6c13a2da46994b2f4366fa8f69d5e6aabaf269cb/src/wp-includes/default-filters.php#L476-L479
Do we want to allow app passwords?
Test using the REST API w/ Gutenberg (cookie auth), and also using another auth method (like Basic Auth with Insomnia). Also test XML-RPC w/ Jetpack and/or the WP mobile app.
How does 2fa affect those? It'll probably break, even when using an app password work:
https://github.com/WordPress/two-factor/blob/2a61cd1d2ea6e89428d7b525a0c02b46262fbf5e/class-two-factor-core.php#L462-L481
https://github.com/WordPress/wordpress-develop/blob/6c13a2da46994b2f4366fa8f69d5e6aabaf269cb/src/wp-includes/default-filters.php#L476-L479
Do we want to allow app passwords?