Skip to content

Widget+cffi fails with email MFA — unexpected title 'GARMIN Authentication Application' #109

Description

@ajgbanach-ops

Describe the bug
When running garmin-mcp-auth on an account with email-based MFA (mandatory for accounts with ECG-capable devices), authentication fails at the widget+cffi step with the following error:
widget+cffi failed: Widget login: unexpected title 'GARMIN Authentication Application'
✗ Authentication failed
Invalid email or password.
The "Invalid email or password" message is misleading — credentials are correct. The real issue is that the widget+cffi strategy doesn't handle the email MFA page.
Environment

Device: Garmin Venu 4 (ECG-capable → MFA mandatory, cannot be disabled)
MFA type: Email (one-time code sent to registered email)
OS: Windows 11
Command: uvx --python 3.12 --from git+https://github.com/Taxuspt/garmin_mcp garmin-mcp-auth

Full output
mobile+cffi returned 429: Mobile login returned 429 — IP rate limited by Garmin
mobile+requests returned 429: Mobile login returned 429 — IP rate limited by Garmin
widget+cffi failed: Widget login: unexpected title 'GARMIN Authentication Application'
✗ Authentication failed
Invalid email or password.
Root cause
The widget+cffi strategy (which correctly bypasses the per-account 429 rate limit) handles MFA when the page title is "Enter MFA code for login". However, email-based MFA renders a page with the title "GARMIN Authentication Application" instead. The strategy doesn't recognise this title and fails silently.
Background: the widget+cffi approach was introduced to bypass per-account 429 rate limiting (see cyberjunky/python-garminconnect#344), and works correctly for TOTP/authenticator MFA. Email MFA uses a different page title in Garmin's SSO flow.
Expected behavior
The tool should recognise the "GARMIN Authentication Application" page title as an email MFA prompt, display a message like "Check your email for a one-time code", wait for user input, and submit the code to complete authentication.
Possible fix
In the widget+cffi login handler, extend the MFA title check to also match "GARMIN Authentication Application" alongside the existing "Enter MFA code for login" check, then POST the entered code to /sso/verifyMFA/loginEnterMfaCode.
Additional context
Accounts linked to ECG-capable devices (Venu 4, Fenix 8, etc.) have MFA permanently enforced by Garmin and cannot disable it. This makes garmin-mcp-auth completely non-functional for a non-trivial subset of users. Fixing email MFA support in widget+cffi would unblock all of them.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions