Strava Pin code / 2FA Login: How to Workaround
I wrote yesterday about Garmin’s odd and irreversible implementation of 2FA logins. These required me and many others to wait 30 seconds or so daily for a passcode to be emailed whenever I use Connect or the Garmin forums on desktop. Once enabled, there is no way to back out of 2FA with Garmin other than deleting your account and starting over.
Strava has a similar situation with its PIN Code login. However, for Strava, the annoyances it creates by complicating logging in are more commercially serious. Strava actively wants you to use your account; it’s a social platform, and Garmin is different as it has already got you to buy the watch.
Regulation: Why 2FA Matters
2FA is secure. It requires you to know your password and to have a 3rd device of some sort. A thief might know your password from an online security breach but is unlikely to have your third device.
Strava’s 2FA policy is linked to legal obligations. Under GDPR, specifically Articles 5, 25, and 32, companies handling sensitive personal data, such as health metrics or geolocation, face intense pressure to implement robust security measures.
This has nothing to do with fraud prevention.
Strava’s 2FA – My Experience
I have several Strava accounts. The one I use the least is not a subscriber account and, bizarrely, contains my cleanest set of data. I use this only to link to HRV4Training. I enabled 2FA via the PIN code to test if I could set the same PIN code for all my strava accounts. A PIN code would have been easier because Strava deliberately made the password entry box harder to navigate to, and use.
So that was the end of my test, and it was time to revert, which, of course, you’ve already figured out is not possible.
After weeks of increasing frustration, I found a workout that suited me, but not everyone will like it.
Take Out: Your choices.
Strava’s irreversible 2FA is frustrating, but it is driven by regulation and is a way for Strava to mitigate financial and reputational risk.
For now, if you seek to disable 2FA, there is no way back. Here are your choices
- Use your Google Account to log in. The account must use the same email address (I created a new Google account). Apple accounts also work. These third-party login methods have the required security baked in.
- Delete your account and start over.
the5krunner.com © 2010-2025
Reader-Powered Content
This content is not sponsored. It’s mostly me behind the labour of love, which is this site, and I appreciate everyone who follows, subscribes or Buys Me A Coffee ❤️ Alternatively, please buy the reviewed product from my partners. Thank you! FTC: Affiliate Disclosure: Links pay commission. As an Amazon Associate, I earn from qualifying purchases.
I’d feel better if they let me use a 2FA app to generate a token instead of waiting for an email.
yes
or even simply trust the browser like a normal company would
So annoying that i had to delete my account and create a new one. And no passkeys for Epix Pro, Fenix 7
I want a security Fido Security Stick. No other 2FA wanted.
Shortly after enabling it for ECG on the Venu 3 a couple years ago, I realized how annoying it was, and that you can’t undo it. I did the nuclear option – started a new account. I’ve been very careful not to enable it again. Sad thing is I did all this for ECG which is completely useless to me since my resting HR is below 50.
Garmin’s hands are largely tied by the regulations. It does seem like they could come up with a solution to disable it by deleting all relevant data like ECG. I do suspect most users mostly use the App rather than the web so it may not matter to them, so may not be worth Garmin’s efforts. But if you regularly use the web to access your data or the forums, it’s a major PITA.
Every once in a while, I go to access that old account to grab an old course or something. So annoying to have to use 2FA for something I could care less if the whole world could see it. Glad I ripped the band-aid off years ago and started over.
I cannot even find a 2FA option in Strava. I just have the option to have it email me a pin code INSTEAD of using a password. This would make login more like the typical behavior of Substack.
The thing I don’t like about the Garmin 2FA is that it only works by sending email or (optionally) SMS. It should support TOTP codes at a minimum and probably passkeys.
tyat’s 2FA, no? you have to have the recipeint device for the pincode email