PayPal now Supports proper OTP 2FA Apps – but no Recovery Codes and no U2F!

In 2013 I published the Blogpost:

Paypal – How to not implement 2-Factor-Authentication

Since then Paypal had a lot hits and misses with 2FA as you can find in countless blogposts out there.

I cannot tell you when exactly but at some point in the last 2 years PayPal managed to implement support for proper 2FA OTP Apps like Google Authenticator, Authy, Lastpass Authenticator, YubiKey OTP to name only a few!

You can set this up by logging into the PayPal website and Navigating to the Security Settings:

It is now finally also possible to remove SMS-2FA entirely which is a good idea when securing your money!:

If your Mobilephone number is still listed there add a “Third-party code generator App” switch it to your primary device and remove the mobile number!

Im always of the mindset that SMS-2FA is better than no 2FA at all, but its not state of the art and has proven easily breakable by sim-swapping!

No U2F – Will PayPal ever Support it?

So before we preaise PayPal that they managed to implement TOTP properly in their website (btw, they don’t offer recovery codes when setting up 2FA….) lets note that it is 2019 and U2F and Cheap Tokens like Yubikeys and even Cheaper U2F Only Tokens are now Available and will prevent phishing of your second factor!

Read up on how U2F will prevent a MITM Website to steal your 2nd Factor on Wikipedia!

So definitely switch over your PayPal Account to an OTP App like Authy and deactivate SMS-2FA but beware that you still have to be carefull that you dont enter your Login-Credentials + 2FA Code into a Phishing Site!

About SebastianB

read it in my blog
This entry was posted in miscellaneous and tagged , , , , , . Bookmark the permalink.