TrainerRoad 2FA? (2-Factor Authentication)

web

#1

I see the forum has a 2FA option which isn’t available if using oAuth from the TR website. Can you advise if 2FA will be available for the TR website at some point? Now that you’re collecting a lot more personal data (i.e. outdoor ride data, ride notes, etc) securing the account with 2FA would be a nice addition.

Thanks!


#2

I’ve thought about it before. You’re the first person to ever ask for it. If a lot of people ask for it we will add it.


#3

I agree, 2FA would be a nice feature and offer some peace of mind.


#4

+1 for 2FA (for TrainerRoad accounts).


#5

+1 for 2FA via QR code and temporary one time password (google authenticator, authy, 1password support this). Safer than SMS based.


#6

Probably should change the title to “TrainerRoad 2FA (2 Factor Authentication - for account protection)”

I didnt know what it meant but once I looked it up I thought it is a good idea.


#7

I would agree. 2FA certainly gives more security. I also think it shows that companies who use think about security.


#8

As a security professional I would support a move to 2FA! :closed_lock_with_key:


#9

+1 for 2FA


#10

+1


#11

Thanks @Nate. Yes, I think it’s critical now that we’re importing more and more personal data into the platform. And to close the loop on the implementation idea, I’d recommend TOTP (Authy, FreeOTP, 1Password, etc). For me it’s all about privacy and security, I have a whole lot more questions about how data is stored at rest at TrainerRoad, I’m hoping there isn’t some S2 bucket in AWS holding our data unencrypted. I’ve not explored TR’s GDPR compliance. Another cool thing, assuming the data is secure and private at rest would be a tick box that blocks support from viewing the personal data which could be unticked if a support case was opened and required access to the data. I know, wishful thinking, but why not forward think privacy and security? It’s good for everyone.


#12

+1 in support of the idea. It’s not a mission critical item, but certainly warrants some thought given the amount of personal data TR now holds.


#13

+1 for 2FA


#14

2FA all the things!

But don’t reinvent the wheel. Just use Google authenticator app and QR codes. Don’t waste time on silly attempts at 2FA like using text messages.


#15

To clarify, Google Authenticator uses TOTP.


#16

0.5 vote from me. Good practice, but TR doesn’t hold any data of mine I am too concerned about (of course, I’d prefer you not to pastebin my data though).


#17

I’d use it if it was there but wouldn’t put it as a huge priority.


#18

I agree. I don’t see that TR has a any data of mine that is especially private.


#19

+1 for 2FA


#20

I totally don’t want Chris Froome hijacking my FTP. Please spend countless hours implementing.

Seems like an easier route would be Auth0 or a service like it!