Disable permanent 2FA

jordibcn 5 months ago

I have enabled ECG app and I had to enable two factor authenticaton.

Now third party apps such as Biometric Explorer have stopped working.

Is there a way to disable ECG app and disable MFA in order that apps work again? I do not care about deleting ECG data

Top Replies

JRMiler 2 months ago +2

Garmin claims that 2FA is a regulatory requirement to protect the security of ECG data. That is simply untrue. If you ask them to identify the regulations that require it, they can't. (It's not HIPAA,…
UncleZ 4 months ago in reply to trux +1

Thank you. I am so upset. I have years of data to move and that I do not want to lose. Garmin systems are so poorly made. Why they do not allow such a simple setup like disabling 2fa... this is so stupid…
FlowState 2 months ago in reply to FlowState +1

EDIT: deleted script that doesn't work :/

Well at least it's confirmed that if you write a script that does the same thing as pressing the "disable 2FA" button (when you have non-permanent 2FA), it…

All Replies

0 FlowState 2 months ago

I'm in Canada. I don't use ECG but I was curious about this permanent 2FA issue so I did a little test:

- made a throwaway garmin account (using an existing gmail address but adding a "+" suffix to end of it to make it unique)

- enabled 2FA

- disabled 2FA (this worked - I assume it's because I never had the ECG app?)

- enabled 2FA again

- tried to disable 2FA but it temporarily failed due to rate limiting from cloudflare (or so the error message that was only visible in the network console claimed)

I'll try again later and see if I can ever successfully disable 2FA on this account. If so, maybe there's a way to manually replicate the same network traffic that's sent when disabling 2FA.

(There doesn't seem to be a separate request to explicitly *enable* 2FA though -- it *seems* to be part of the same "validateMFA" request that's sent when you enter your code for the first time.)

EDIT: yes I was truly rate limited. I was able to disable 2FA again by waiting a few minutes after logging in [which involves a code request]

0 FlowState 2 months ago in reply to FlowState

EDIT: deleted script that doesn't work :/

Well at least it's confirmed that if you write a script that does the same thing as pressing the "disable 2FA" button (when you have non-permanent 2FA), it doesn't work for people who have permanent 2FA.

0 1096787 1 month ago in reply to FlowState

I tested your script as you described and using a permanently enabled 2FA...

I did not work for me, unfortunately.

0 FlowState 1 month ago in reply to 1096787

1096787 said:
I tested your script as you described and using a permanently enabled 2FA...

I did not work for me, unfortunately.

Ah sorry to hear that.

0 UncleZ 1 month ago in reply to FlowState

Tried it as well.
The script replies with "successfully disabled mfa".

But in reality, when you check again the page, the 2fa is still active.

BTW, thanks for investing your time in this :)

0 FlowState 1 month ago in reply to UncleZ

Thanks for the feedback! Sorry it doesn't work.

At least we know Garmin is getting better at security haha