First, let me say I'm a computer science engineer. Second, excuse me because english is not my native language.
-2FA autentication is done sending a code though the Internet (public Network) and to an email destination. Really Garmin, why?
Things:
- The code is being sent through the public network
- We are beliving the destination servers are secured by default. Do you think everybody uses known servers like Gmail?
- This implementation is really poor. I can't believe a company like Garmin that had a very big issue with the hackers few years ago is doing such a mistake
- Imagine now a hacker creating accounts and sending codes to his server so he cans analyze them and find perhaps something.
As It happens in most technological companies. 2FA autenticator is usually delegated to specific applications like Okta or Authy. You don't need to wait for an email with a code because the code is made instantly in the application. There are cases like Okta, that you can just push into a notification to alllow the autentication (no need of code, but you can also use a code if you want).
But here is what I think this should be. Garmin has a fantastic application called Garmin Connect Mobile. The 2FA of the Garmin Connect Web or the Garmin Forums should be done using the Garmin Connect Mobile.
That means, that:
- The secret code is not going outside the company
- 2FA will be much faster since everything is inside between the servers of Garmin's Networks (and not sending anything to who knows to which final email server).
Can someone please speak with Garmin's security team?
Thanks