Request FIDO U2F as second factor.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am not happy (I suppose same goes for many of paypal customers out there) to purchase a key from each website I transact.
1. Security Questions are good.
2. TOTP token which we can use with Google Authenticator or other app is OK.
3. FIDO U2F is good actually Ingenious awsome second factor.
By good I mean we desire them. If in doubt Please learn from Google regarding authentication options.
Hope paypal listens to this positive feedback.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, Paypal clearly needs to support FIDO U2F...
Paypal is part of FIDO Alliance, they really should consider adopting U2F second factors !
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I agree, I just recently purchased aYubiKey NEO and it would be good to be able to use it with PayPal
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I agree with this request. Fido U2F implementation would be very responsible of PayPal.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1. Security Questions are bad, especially when predefined. That's one of the most common ways for accounts to be compromised.
2. TOTP with Google or other authenticator is badly needed. It's a good system that's readily available.
3. FIDO would be good, but many people aren't willing to buy a hardware key, hence the need for #2.
4. SMS authentication is not good. Delivery is unreliable and insecure.
5. Forcing people to type new passwords instead of pasting from a password manager is painful and counterproductive, since it discourages people from using secure passwords.
6. PayPal badly needs to do much more in security.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@JNavas2 wrote:2. TOTP with Google or other authenticator is badly needed. It's a good system that's readily available.
3. FIDO would be good, but many people aren't willing to buy a hardware key, hence the need for #2.
4. SMS authentication is not good. Delivery is unreliable and insecure.
2. It's a million miles from an ideal solution but it should be the absolute minimum standard supported. It has fairly serious security weaknesses that are almost impossible to mitigate though.
3. People should be prepared to get willing. U2F tokens are cheap and this is the standard that's coming down the hill - it's far more secure against well funded and determined actors than TOTP (et al) and cheaper and easier to impliment than other crypto token device support and far more user friendly. Be prepared to buy two - one for backup - whilst you're at it. It's also supported by all the major browsers people care about (Chrome/Firefox and I believe there's Opera support also).
4. SMS isn't even close to fit for purpose, there's been occasions where people have had their phone accounts moved to a third party device for way less serious reasons than having money stolen.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@streaky81 wrote:
2. It's a million miles from an ideal solution but it should be the absolute minimum standard supported. It has fairly serious security weaknesses that are almost impossible to mitigate though.
3. People should be prepared to get willing. U2F tokens are cheap and this is the standard that's coming down the hill - it's far more secure against well funded and determined actors than TOTP (et al) and cheaper and easier to impliment than other crypto token device support and far more user friendly. Be prepared to buy two - one for backup - whilst you're at it. It's also supported by all the major browsers people care about (Chrome/Firefox and I believe there's Opera support also).
4. SMS isn't even close to fit for purpose, there's been occasions where people have had their phone accounts moved to a third party device for way less serious reasons than having money stolen.
2. TOTP (Google Authenticator): With respect, the security issues are not significant to everyday users. The biggest obstacle is the hassle factor (see below). PayPal should nonetheless use it to replace the seriously flawed Symantec VIP.
3. U2F: With respect, people won't change. Given a choice between convenience (freedom from hassle) and security (hassle), most people will choose convenience. That's why the most common password is 123456. The better alternative is TOTP because there is at least some chance that people will actually use it.
4. SMS: Agreed.
My own experience is a case in point. I recently tested a YubiKey NEO, and abandoned it almost immediately. Too much pain for too little gain. And I'm a technologist. My clients would never use it.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@JNavas2 wrote:
My own experience is a case in point. I recently tested a YubiKey NEO, and abandoned it almost immediately. Too much pain for too little gain. And I'm a technologist. My clients would never use it.
A question - did you actually test U2F? Yubikey NEO supports also OTP which is more fiddly to setup (but broadly supported, as it simply emulates a keyboard), while U2F does not yet have the wide adoption but is trrivial to setup. The request here is for U2F support, not OTP.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried both U2F and OTP. And as I wrote, too much pain for too little gain.
I would call it more laboratory curiosity than finished product.
- « Previous page
- Next page »
Haven't Found your Answer?
It happens. Hit the "Login to Ask the community" button to create a question for the PayPal community.
- Trying to request money - can't type in the amount in About Payments
- Potentially fraudulent text message in Access and security
- Adding money with credit card only - without adding back account in About My Account
- How can I figure out the current process of my name change? in About Settings
- Getting conflicting messages from paypal in About My Account