Starting March 2021, Apple made two-factor authentication mandatory for all accounts.
Third party applications (like the App Store Manager) that perform asynchronous activities for app developers and app publishers are affected by this change. Above all, they have to implement new App Store Connect authentication functions to their software. In the past, applications usually used separate Apple IDs with two factor authentication turned off. Inserting the code into an asynchronous background task that processes data is a challenge. After all, the user who needs to confirm the third-party app’s access can’t constantly look at their phone and then do the confirmation. This is certainly not particularly user-friendly.
Apple offers two alternatives for this. Firstly, you can create app specific passwords (one-time accesses keys). Unfortunately, these only allow limited access in practice. This means third-party applications can not perform all desirable activities. For example, metadata management is not possible.
Secondly, an other option is to create API keys. These provide consistent access to the configured apps. However, they also offer a disadvantage. The API keys can be limited in rights, but not restricted to individual apps. This is a significant shortcoming. The competitor Google with its Google Play Store offers much more settings and configuration options. Apple also recommends not to pass on generated API keys to third-party apps.
The previous way of disabling two-factor authentication was of course not a secure way to enable access to the App Store via own accounts. Apple did well to prevent this. However, the alternatives are not very developed yet. The lack of settings for the individual API keys and the missing functions for the one-time keys are a nuisance. Application vendors that support App Store processes need to implement the new App Store Connect authentication methods. Users have to deal with fewer configuration settings. Hopefully, Apple will improve this significantly in the near future.