cancel
Showing results for 
Search instead for 
Did you mean: 
velocipederider
Pico de Orizaba
Status: Open To Voting

Since there is a lot of potentially sensitive data on Strava it would be nice if you provided some 2FA login methods, such TOTP and Webauthn

30 Comments
velocipederider
Pico de Orizaba

For anyone who is unclear 2FA would be Two-Factor Authentication, i.e. something in addition to your password, such as a FIDO hardware key (like a Yubikey) or Authenticator App.

CreakyCrank
Mount Logan

This is a brilliant idea - makes sense... let's open up for kudos!

Status changed to: Open To Voting
Soren
Denali

Thanks for submitting your idea regarding enabling Two Factor Authorization. It has been reviewed by our moderation team and is now open to voting.

Jan_Mantau
Superuser
Superuser

Sorry, but 2FA is a menace to use and I don't want it to expand to every login in my life. Beside that it seems just impossible to achieve 2FA if you count in the watches, apps, bike computers and so on that connects automatically to Strava for downloading segments, routes or uploading activities. 

velocipederider
Pico de Orizaba

@Jan_Mantau ? So don't use it. Nobody is asking for it to be manditory.

velocipederider
Pico de Orizaba

As for impossible. Downloading segments or uploading activites require limited access, not complete access to all of your personal information. App passwords fix this.

velocipederider
Pico de Orizaba

Actually now I think about it, the app I use for recording never required any password at all. You add the app and have to authenticate that it is allowed within the main Strava install, i.e Oauth

https://developers.strava.com/docs/authentication/

So the external devices you worry about do not need to handle 2FA, since Strava authentication setup already has this covered. You only need 2FA for the main install.

Jan_Mantau
Superuser
Superuser

@velocipederider You're right on both counts, the REST API from Strava doesn't require a full login and 2fa doesn't need to be mandatory. I only hope in the latter case that they don't nag you about setting the second factor on every login like every other service where 2FA is optional.

velocipederider
Pico de Orizaba

I probably have a different experience than you because we use different services and of course I am someone who is already keen to enable 2FA (so might not have noticed when it has been pushed agressively as I would likely just accept that) but my memory and personal experience has been the ony places that try and force 2FA are banking/financial services and very recently Github. Also Google require it in certain circumstances (e.g. for accounts they decide are likely to be targetted).

On a personal level I think those situations are all ok but I agree in principle that there should not be hard requirements for most services as 2FA is certainly a trade off. It is more to manage for the average user and whilst in some sense it can be more secure it also increases the likelihood of a user "shooting themselves in the foot". Users often for example start using an authenticator app for TOTP on their phone but have not considered what they will do if they lose their phone or upgrade, thus it is easy for them to accidentally lock themselves out fo their own accounts. That is not a great trade off for many.

In summary, whilst I would advocate offering 2FA to those that want it (because I consider much of the data here potentially sensitive), I am not for manditory 2FA on Strava accounts. I just think it is nice to offer and somewhat expected when you consider what others in the wider "tech health" industry increasingly provide (Garmin, Fitbit, etc.).

cy-linder
Superuser
Superuser

Hi @velocipederider,

Thank you for bringing this up. I raised this topic more than a year ago in the old support system. Back than I receied the answer "we are collecting feedback"...

I hope your contribution here brings the necessary feedback to finally implement this security feature.

Cheers
Uli

https://www.strava.com/athletes/62919839
ewbb
Mt. Kenya

I think 2FA/MFA is an essential for any application in this day and age. And by "essential" I don't mean mandatory, but at least offered. I'm not sure you can consider an account to be secure without it. I think this should be a priority feature.

CyclingBas
Mt. Kenya

See what happens when you don't have MFA:

 

https://www.strava.com/athletes/180299/posts/24393323

 

Pro athlete Ellen van DIjk has been hacked.

RR
Mt. Kenya

Yes please.

Evidenz
Mt. Kenya

Thanks for the proposal! Every account bound service should [must] have 2FA possibility imho nowadays.

SydR
Mt. Kenya

I came here to raise the same thing. Glad to see it already has been. 2FA is essential for many things now and a must for Strava given the nature of the information they hold on us.