Related

Disable permanent 2FA

jordibcn
3 months ago

I have enabled ECG app and I had to enable two factor authenticaton. 

Now third party apps such as Biometric Explorer have stopped working.

Is there a way to disable ECG app and disable MFA in order that apps work again? I do not care about deleting ECG data

  • 0 4 days ago

    I'm in Canada. I don't use ECG but I was curious about this permanent 2FA issue so I did a little test:

    - made a throwaway garmin account (using an existing gmail address but adding a "+" suffix to end of it to make it unique)

    - enabled 2FA

    - disabled 2FA (this worked - I assume it's because I never had the ECG app?)

    - enabled 2FA again

    - tried to disable 2FA but it temporarily failed due to rate limiting from cloudflare (or so the error message that was only visible in the network console claimed)

    I'll try again later and see if I can ever successfully disable 2FA on this account. If so, maybe there's a way to manually replicate the same network traffic that's sent when disabling 2FA.

    (There doesn't seem to be a separate request to explicitly *enable* 2FA though -- it *seems* to be part of the same "validateMFA" request that's sent when you enter your code for the first time.)

    EDIT: yes I was truly rate limited. I was able to disable 2FA again by waiting a few minutes after logging in [which involves a code request]

  • 0 3 days ago in reply to FlowState

    Alright, so I managed to find a way to disable 2FA using a script. However, note that I tested with a dummy account which did not have permanent 2FA - I was already able to disable 2FA at will, using the Garmin account security settings page. I don't know if this will work for you if you have a device / ECG app associated with your account which requires permanent 2FA (which means the Garmin security page prevents you from disabling 2FA.)

    Here's the steps that work for me:

    1) Ensure *email* 2FA is enabled for your account. (This script *should* disable all MFA methods, but it requests a code to be sent via email, as I didn't enable phone MFA and I didn't want to put functionality in the script that was completely untested.)

    2a) Using a computer, log into your account at www.garmin.com. Check the Remember Me checkbox.

    2b) Wait several minutes after logging in, as the following process will request another MFA code from Garmin, and cloudflare may block you if you ask for too many codes in a given time period.

    3) Open the Garmin MFA page:  https://www.garmin.com/en-US/account/security/mfa/ (this part may not be strictly necessary, but just in case)

    4) While still on the Garmin MFA page, open browser dev console - CTRL-SHIFT-I (windows) / CMD-SHIFT-I (mac) - and click on the Console tab

    5) If you are using Chrome, in the console, type "allow pasting" (without quotes) and press Enter

    6a) In a different tab, open https://pastebin.com/raw/mcKV7tvz or https://pastes.io/raw/connect-2fa (either of these pages will contain javascript code that you will eventually run in your browser).

    Copy and paste all the text into the original console. (This will not cause the browser to take any action - yet.)

    6b) Return to the original console and type:

    sendGarminMfa("[email protected]")

    (Replace [email protected] with your actual email address)

    Garmin should send you an email with a verification code: e.g. 123456

    6c) In the console, type

    disableGarminMfa("[email protected]", "123456")

    (Replace [email protected] with your actual email address)

    (Replace 123456 with the actual code from the email. The code needs to be quoted as above)

    Again, I cannot guarantee this will work for anyone who has truly "permanent" 2FA, as I never tested that way.

    For anyone who does have permanent 2FA (where the security page prevents you from disabling 2FA), I would genuinely be interested to hear about your experience with the script (whether it works for you or not).