let me give an example how to not implement 2-Factor-Authentication: The Paypal way!
I have to give Paypal credit for the fact that they introduced SMS 2 Factor Authentication for quite some time now. According to this link they introduced it around the end of 2008 which I guess is not to bad compared to other services.
I can not really remember when I activated this extra bit of security for my account but I can tell you it was before I got my first iPad and before I started using iPhone’s and iPad’s for daily business like ordering and paying a Pizza online.
Here is why: IT DOES NOT WORK!
How it normally works is that you go to paypal.com (or get refered there by an online shop) enter your credentials and get presented with a second page which gives you the option to request the SMS OTP Code by clicking a button and entering it to proceed with your payment.
Now here is the problem: Paypal analyzes your browsers agent string and presents you with a different login page for Smartphones and Tablets (tested it on iOS and Android).
For this mobile site they require you to add your OTP Code to the end of your password. Guess what: I cannot enter it if I cannot request it if you dont present me with the button to do so!
The same sad thing is true for their App:
So whats with that Paypal?! Don’t you test your applications at least superficial for usability?!
So I lived with that for maybe a year now and just did not pay with Paypal anymore (the delivery guy does not mind cash). But this week I had some spare time and wanted to dig a bit deeper.
So I am not the only one who wants to order his pizza on the iPad… Suprise…
In the above forum post someone mentions the VIP Access App. I tought this was some standalone OTP App from paypal but could not find anything that looks like it belongs to Paypal in the Appstore.
So I decided to contact the Paypal support and told them that I got the exact same issue that is described in their forums and added a link to the forum post.
The next day I received an answer from Paypal support with the usual blabla that I am an important customer and so forth… and a step by step set of instructions how to disable SMS OTP verification and add the already mentioned VIP Access OTP software (which is a free OTP software from Symantec btw).
So I started with the OSX application which looks like this:
Next I tried to follow their instructions and add this OTP generator to my paypal account. In your account settings you see the following options regarding 2-Factor-Authentication:
So you get buttons to activate and deactivate existing 2-Factor methods. But no fricking button to add a new method…
What you have to do is click on “more informations” and you will be presented with this lovely designed website:
Another fancy website marketing the SMS 2-Factor method (which I am told to get rid of by the support)…
So what you obviously have to do (duh!) is to click that you want to add a SMS security code! You will get rewarded by this page:
Okay here you can enter cell phone numbers (which I dont want). So obviously you have to click on cancel! Now you are presented with the whole range of 2-Factor methods Paypal has to offer:
Now we are talking. So I can order a hard token, activate SMS Tokens (great) or activate a Security Key. What would you chose to activate a Software OTP Token generator?
Exactly: the Picture that says secrutiy key (which shows the same piece of hardware you can order on the left)…
So if you managed to do all that you are rewarded with the actual page that lets you activate your VIP Access OTP software client from Symantec for your Paypal account:
It took me maybe 15-20 minutes and some chance to figure all of this out. Also I already worked with OTP Software and Hardware Token solutions and know my way around implementing and activating them.
But whats about the majority of the Paypal users? People like my parents who just want to pay some stuff online?
so everything is fine now?
Not really… I want to pay with my phone so I dont want to start a program on my computer. So there is an App for iOS and Android from Symantec which does the same.
However I don’t want to set up my Paypal account with only one Software OTP generator on my iPhone. From experience I know that I restore my phone at least once a year and I also just recently had to send it in for a repair and got an exchange device.
If you ever backed up and restored an iPhone you know that not all software backs up all of its settings. Especially security relevant software like OTP generators tend to not back up the security key.
So no problem, you can activate more than one OTP Software Token for your Paypal account as you can see in one of the screenshots above.
However here comes the funny part: The Paypal App (for iOS at least, did not test android) still does not work, as you still have to add the OTP Code to the end of your password without beeing presented the page where you can chose which token code you want to enter.
But the mobile website suddenly does present you with a second page after login:
As you can see it is not mobile browser optimized…
One good thing tough that as you are now presented with the second login page you even can reactivate SMS Codes for your Paypal account and use them on your smartphone or tablet.
So I can now order and pay my Pizza with my iPad or iPhone again as long as I stick to the browser and do not use the intended App.
The only thing that remains to be said:
Update (March 23rd, 14): as mentioned in the Comments it seems Paypal does now support Google Authenticator. You can read up on it here: http://lifehacker.com/5938565/heres-everywhere-you-should-enable-two-factor-authentication-right-now
Update (April 9th, 14): The previous update was not true. Lifehacker is only talking about SMS 2 factor auth for Paypal. The OTP options in the Paypal user settings are still as crude as when i first posted this entry.
Update (December 29th, 14): As another commenter noted today, the Paypal app now seems to be able to support sms 2 factor authentication. However for me it still does not work as the Paypal app is telling me it does not support hardware tokens (Symantec VIP Access Software Token in my case):
It seems that it does not work when you have both hardware and sms 2 factor authentication activated for your account. So the App will only work if you have no other authentication mechanism beside sms activated I guess.
This inconsistent implementation of Paypals 2 factor authentication and this years publication by Joshua Roberts leaves me with a bad feeling while trusting paypal with my money…
Update (July 17th, 19): By now PayPal managed to implement 3rd Party TOTP Apps like Authy but no Recovery Codes and no U2F… Read it here in my latest Post: