I really love the NextCloud service, thanks for creating it!
I initially was going to request enabling 2FA via TOTP, but that isn’t required if you use app-specific passwords in the Security settings – so just a heads up to anyone who wants to have per-device/app revocation 
I suspect it’ll be faster as well, because it won’t need to authenticate via the IMAP proxy and just use the local passwords in DB – might want to highlight that as well, in any future documentation 
If that does indeed bypass IMAP authentication, I may need to find a way to disable it. That could potentially allow for an abuse vector that drives up revenue without anything to offset it if users could continue to access it after account cancellation, short of manual review of accounts.
Not sure if you disabled it, as it seems to have stopped working? Even with my regular password, random authentication failures happen once or twice a day (I’ve set up sync every 4 hours in DavX5).