Right now we limit password auth to a limited set of account:IP pairs. That allows us to set up certain service users that can bypass the second OTP auth factor.
We can leave this in place, in which case the workflow would always involve getting an app token using 2FA and only using that token for actual direct API access.
Or we could just remove the safelist extension and allow normal password auth from wherever.
OR we could do some to-be-determined in between thing.