When is 2FA enforced? General security questions

[cjappl]

I was surprised to see that despite 2FA being enabled on my venmo account, I was able to get a token, and request money without going through the 2FA process.

What's the nature of these endpoints? Is this a security hole that they haven't patched?

Or perhaps I would be blocked from sending money until I use 2FA?

Super grateful for your work on this project. Made setting up a little glue-code project a breeze.

[mmohades]

That's strange. I mean the chances are too low that it happen.
So the way that 2FA works is based on the device-id that is sent in. If you don't provide a device ID in the login process, a random device ID is generated by the wrapper, and that one is used. That device ID will then be added to your trusted device ids.

So 2FA won't be required if that device-id has been trusted by your account previously. If you didn't provide the device-id, then it means it randomly generated your actual device-id, which is almost impossible.

[mmohades]

Here is where the random device ID is generated in case you were interested:
https://github.com/mmohades/Venmo/blob/master/venmo_api/utils/model_util.py#L36

[cjappl]

Really interesting. I think this has to be a bug on their side then.

Up until this point, I didn't know I needed to put the device ID in the login request. My process was exactly like in the README. I guess this means I'm getting the randomized device ID!

from venmo_api import Client

# Get your access token. You will need to complete the 2FA process
access_token = Client.get_access_token(username='myemail@random.com',
                                       password='your password')
venmo = Client(access_token=access_token)

The logins I've gotten have worked without 2FA, and have been persisting over multiple days with the same access token. I have also never added these devices to my remembered devices, all my remembered devices are accounted for.

It appears I can do anything I want with them, I haven't yet tried sending money.

Very strange, it seems like for some reason they aren't enforcing 2FA on devices with no device_id?