Your users might have third-party apps that don’t support the latest authentication protocols and don’t work for users with 2-Step Verification (2SV). Legacy email apps are examples of such apps.
Apps that don't support the latest protocols
If a user sees a “password incorrect” error when trying to sign in to an app that doesn't support the latest protocols, an App password could solve the problem. App passwords give apps permission to access a Google Account without the user divulging their Google password to the app.
App passwords bypass 2SV
Because App passwords bypass 2SV:
- App passwords are discouraged—It’s better to install more secure apps that use modern authentication protocols. However, if some of your users have legacy apps that require App passwords, you’ll need to allow your users to access less secure apps. Your users can then sign in using an App password.
- Enforcing security keys disables App passwords—You can't require users to use a security key for 2SV and also let them use App passwords to sign in to legacy apps. If you enforce security keys as the 2SV method for your users, your company has security requirements that you don't want to circumvent.