It’s under API Security. But if you don’t need it, there’s no reason to turn it on.
I might be wrong about the Android app needing credentials after you turn on Basic Authentication. I switched that on in Main UI and was still able to access my sitemap from the app.
You currently have to use Karaf to define additional users.