They might not want your FTP, but now they have your email and potential password.
People often recycle passwords so that’s leverage to hack into other accounts. Ones that you might want to keep secret.
1 Like
+1 for this feature please
The bigger one I care about is whether or not you require all TR employees to use 2FA. If not, then that is a pretty massive security hole waiting to get exploited.
1 Like
If this was aimed at my comment I apologise if any confusion caused. I’m definitely not say a compromised user instantly compromises anything internal to TR. I tried to even make that clear by saying I had no knowledge of their setup and for all I know they could be on totally isolated platforms.
That being said it shouldn’t be overlooked and it’s all too easy for account holders to sit and say “I’ve nothing of worth stealing so I’m not a risk” in an argument against improving security. It’s all too easy to move laterally once inside an environment if you have the skills.
1 Like
Do push authorization through the TR mobile app. 
1 Like
I love that the person who is threatening to cancel their TR subscription because of a security breach at Garmin, is also threatening to cancel their TR subscription if TR moved to improve their security.
9 Likes
Awww. I got your feelings hurt. I apologize for not having view that is not the same as yours.
I truly have nothing to hide as outrageous as it may seem. I keep things simple and don’t worry about low possibility outcomes and things out of my control. Life is a lot simpler when you worry less.
We do require 2FA for TR employees for all of our sensitive stuff (code, data, communication).
There are some applications that we use that don’t have 2FA. IE design mockups on a third party system don’t have 2FA on it. But if that gets hacked/leaked it’s not the end of the world.
3 Likes
You can not. TR employees can’t even see your payment information. It’s all held on Braintree which is owned by PayPal.
And access to Braintree of TR employees (to look up stuff like name and last 4 digits) is protected by 2FA and restricted to just a few TR employees.
3 Likes
We’d like to do this in the future, but for now we suggest that you set your entire account to private.
1 Like
That’s why you salt the password from the user and take that result and hash it. You don’t compare the person’s password to what the user sends in, you compare the hash. If someone steals the DB with everyone’s login they won’t have everyone’s actual password.
4 Likes
“Makes notes for future email phishing attempt”
1 Like
You hope! But there’s always stories of plain text passwords.
Yes, this is what happens. We can’t read your password or “decrypt” it. This is built into our .net identity provider.
1 Like
When ever you click “reset my password” and they email you your password it’s A VERY BAD SYSTEM!
7 Likes
Wait, this happens!? 
Oh yah, all the time!
Any update to implementing 2FA?
+1 for 2FA if someone is still keeping track.
+1 as well.