Related

ECG 2FA Observations

charper3
6 days ago

I wish I had known about the permanent 2FA requirement to enable to ECG functionality before I upgraded to a new device because it makes no sense to me to enable 2FA forever when I may use ECG functionality once or twice and I use Connect app/website multiple times a day. It will make getting access to the fitness data I actually use way less convenient and that will be like 99+% of what I use Connect for. You should just split the ECG functionality off into a separate app / website or something because I can't see any benefit in intermingling my fitness and ECG data when the ramifications of this decision are so severe. I use a Stelio CGM for blood glucose monitoring and that doesn't even require 2FA for the app. As it is, I guess I'll buy a separate ECG device like a KardiaMobile if I ever get to the point of needing one.

  • 0 2 days ago

    So the GC app only requires 2FA code once, when you log in for the first time after installing it on your phone. After that, use it as normal. I have 2FA on my garmin account, I use the app multiple times a day and I'm not prompted for OTP on the app (only when I upgraded my phone and installed the app fresh)

    The website will require it periodically (but not all that often, my sessions remain valid for over a week) but definitely not for every use, just make sure you use the same session (same device and same browser). And when the code is required, the email (for me) arrives in less than 5 seconds, it's a very minor inconvenience at best.

    And 2FA/MFA is a good security feature which is highly recommended to use for all services that offer it - keep your data safe. Even secure passwords can be cracked by brute force, and many people reuse passwords or use weak passwords that are easy to guess. 2FA means that even if your password is compromised, your data is safe from unauthorised access. That's a good thing!

  • 0 2 days ago in reply to angelakru

    Yeah when I did some more research I saw some people saying it wasn't that bad - but it looks like it would break 3rd party tools (eg. GarminDB) that I use to analyze my data. It just seems unnecessary to me, I'm not worried about people getting access to my fitness data. I looked into getting a KardiaMobile for EKG and I couldn't find anything saying that if requires 2FA for access to it's EKG data (which is 6 lead - so superior to Garmins) - it seems kind of like this is more CYA for Garmin than it is a real regulatory requirement.

  • 0 1 day ago in reply to charper3

    It did at first (only reason I didn't enable 2FA right away on my account)

    But there are clever folks out there who have resolved that issue. I use a python script to download my activities for offline backup (I'm a geek and I like tinkering), and the author has implemented a python library 'garth' which handles the 2FA: it'll prompt you for the token and then store a local session file, and the next time you run the script it can pick up the session from the file, without needing to re-authorise every time. I've been running that for months now without needing to re-authorise!

    So the download tool I use : https://github.com/cyberjunky/python-garminconnect

    And the python package: https://pypi.org/project/garth/ (source: https://github.com/matin/garth/tree/main )

    If your tools are open source and python, it should be super easy to implement this (or submit a PR to the code owner to implement it). Or if not python, you might be able to extract the method from these libraries (or look for one ready made for whatever language)

    And ya, don't think this is regulatory, definitely CYA and just recommended security best practices in general. MFA in general has for sure saved my A a few times! I'm a believer

    Edit: I see GarminDB is also a git repo, and is python - brilliant, so should be very doable to implement (or request the code owner to) the garth authentication :)

    Edit 2: I see GarminDB already implements garth (https://github.com/tcgoetz/GarminDB/blob/master/requirements.txt) so 2FA should be supported already