Securing - latest version, still API password?

I’ve stood up the latest version of Home Assistant. Before I open external access through my firewall, I’m obviously keen to lock it down as much as possible.

I know there have been auth changes recently, and I have two-factor auth enabled on all our accounts.

However, some docs refer to the old API password mechanism. How do I disable / lock that down, so that all accounts are two-factor only? Is it “disabled by default” on a fresh install?

For a start “latest” is not a version. Please be specific.

Second, I am pretty sure API auth is turned off in 0.84. But easy for you to test.

OK. My apologies, but it appears you knew which version I was talking about :frowning:

“Pretty sure” is the reason I’m asking. I’m not opening up a firewall hole with the ability to disarm security and unlock doors if there’s a password I need to secure.

I’m happy to help fill the doc gaps with a PR, but I’ve been working with HASS for only about 48 hours at this point - hence my ask for more experienced help.

The old API password is not operational unless you specify it in the config

Thanks, @flamingm0e!