2FA for PayPal and eBay linked accounts

Aerion
Contributor
Contributor

I've recently linked my PayPal and eBay accounts, after some coaxing from eBay about how much easier this would make it for me to make payments.

 

Well, it doesn't. If anything, it has now created a major hurdle in making payments. Especially considering the fact that I still can't make payments using my mobile app due to the ongoing lack of support for 2FA methods on mobile devices (see link further down).

 

After clicking the Pay Now button, I get asked to enter my PayPal credentials, followed by a request to enter a code that has been sent to my mobile phone number. After having waited for 10 minutes, the code still hadn't arrived, so I asked for the code to get re-sent. Then, just now, 15 minutes after the first code got sent, it finally arrived, but of course, this code is no longer valid as a new one has been sent out—which hasn't arrived yet.

 

The thing is, why is this code getting sent via SMS when I have a Yubikey VIP active on my account, which works perfectly when I try to log into my PayPal account on the PayPal website? Why do I not get an option to switch to my VIP key, or better yet, why is it not the default?

 

SMS is one of the worst, least reliable and most cumbersome 2FA methods, as it relies on you having enough battery to receive the SMS, as well as having mobile signal at the time.

 

To put this in perspective, with SMS verification codes the process is:

 

  1. wait for 10–20 minutes for the SMS to arrive
  2. grab my mobile phone
  3. unlock it
  4. open the SMS app and read the code
  5. remember the code
  6. go back to the browser and enter the code

With my Yubikey VIP, the process is

 

  1. insert my Yubikey (if it is not already inserted)
  2. touch the contact

And this is not the first time this has happened, as a couple of weeks ago it took about the same amount of time to make a PayPal payment on eBay.

 

 

Given that is guaranteed to not get fixed (see this 5-year-old Paypal app (Android) and security key login problems for evidence), I shall unlink my PayPal and eBay accounts, as paying the old-fashioned way is infinitely faster than trying to use this nifty integration feature. And no, I don't trust eBay enough to remember my PayPal credentials for "even easier and faster" paying. I like to get asked for my credentials as 1) it protects my PayPal account which provides direct access to my bank account and credit cards, and would so allow anyone who hacks my eBay account to go on a spending spree, and 2) it prevents impulse buying.

 

Remember, "New!" or "Improved!" does not always equal better!

Login to Me Too
7 REPLIES 7

Aerion
Contributor
Contributor

It turns out that even after unlinking my PayPal and eBay accounts, I still don't get the PayPal login screen I used to get.

On this new login screen, there is no option to select a security key instead of receiving a code via SMS. I had to wait 7 minutes for the SMS to arrive. This is simply ridiculous Smiley Mad

 

I bought the Yubikey VIP especially for use with PayPal (there is very little else out there that uses Verisign's VIP 2FA method), so as to not have to deal with cumbersome SMS codes that only work if you have mobile signal (which is very bad where I live, I get just about one bar by the window in the kitchen) but now I'm being forced back to SMS codes!

PayPal web design is broken on so many fronts.

Why is it that when I log into the PayPal website itself, and get asked straight away for my security key, with an option to "Use my mobile phone instead", but logging in via the eBay checkout only gives me SMS as the only method, with no option to switch to my security key?

Why is that when I try to log into the PayPal Community, I enter my name and password, only to get told "For your security, we need you to log in to www.paypal.com first to provide your security key, then come back here to continue."? I then need to open another tab, log into my PayPal account, enter my username and password again, where I get asked for my security key straight away! I then have to back to the tab with the PayPal Community login and go back two pages before I can then finally log into the community! If I have to log into the Community Forum via the main website, why not send me there straightway instead of asking me for my credentials, only to not use them? Why, at the very least, not ask me for my key on the Community Forum login screen?

Why is it that shipping addresses I've used in the past, most of them no longer valid, can be select when checking out with PayPal, but there is no way to delete, edit or even just view stored shipping addresses from one's profile?

 

Why is it that a giant like PayPal just can't seem to sort their website and implement proper support for security keys, when many, infinitely smaller companies can?

Login to Me Too

PayPal_Conor
Moderator
Moderator

Hi Aerion,

 

This certainly sounds frustrating and I would like to help.

 

What I'm going to do is pass you detailed feedback onto the team who manage the two factor experience at PayPal. You make some very good suggestions and I want to share your comments in the hope that they will be factored in during any future updates of this product. 

 

Your comments are also very fair about your experience accessing our community forum while using the PayPal Security Key.

 

In terms of those unwanted shipping addresses, those details are usually stored by the cache and cookies on your computer and in my experience, clearing these files will normally resolve that.

 

Could you give this a try and let me know how you get on?

 

Conor
 

Login to Me Too

Aerion
Contributor
Contributor

 

Hi Conor,

 

Thank you for your reply. It's good to see these forums are still being read by PayPal reps.

 

The 2FA experience I get on PayPal is one of the worst of all the sites where I have 2FA enabled. Unfortunately, most of them rely on the Google Authenticator method, which is the second most cumbersome 2FA method, after SMS. Just like SMS, it involves far too many steps:

 

  1. grab my mobile phone
  2. unlock it
  3. open the Authenticator app
  4. enter PIN to unlock the app (I use Authenticator Plus instead of Google Authenticator)
  5. find the security code in the ever growing list of accounts
  6. remember the code
  7. go back to the browser and enter the code

But, unlike SMS, at least it doesn't rely on having active mobile reception. It is still subject to having sufficient battery, however.

 

Even though it involves just as many steps as codes via SMS, and is just as cumbersome, I'd rather that PayPal supported Google Authenticator than SMS codes because at least it works.

 

Last night I had to wait 43 minutes (!!) for a code to arrive via SMS, and by the time it did, my login session had expired and the code was no longer valid. A second attempt resulted in a 30+ minute wait for the code to arrive, with the same problem. The third attempt finally worked, with the code arriving after approx. 5 minutes. That's an hour and twenty minutes wait, just to log into the Android app to see what might be the issue with a payment an eBay seller said he hadn't received. Completely and utterly unacceptable!!

 

You may wonder why I didn't use a PC instead of the app. Well, as a matter of  fact, I did. But for unknown reasons the website insisted refused to accept codes from my VIP Yubikey, so I (foolishly) requested a code via SMS instead and when that didn't work (it's the one that took 43 minutes to arrive), I tried my Yubikey one more time, which resulted in me getting locked out of my account for over an hour.  Of course, there was nothing wrong with the codes from my Yubikey, as I've successfully used it to log into my account today to respond to your message, as well as to  c h e c k out that particular payment.

 

Speaking of that payment, why does the Android app only show it as pending, and do I have to log into my account on a PC to find out that the reason it is pending is that the seller hasn't accepted the payment yet? The app is supposed to make things easier, not double the amount of work I have to do!

 

I'm sorry if I sound bitter, but my faith in PayPal is ultra low. For example, I have not been able to use the mobile app since 2010 (!!) when I first contacted PayPal by phone (see the linked thread in my original post). Numerous promises, and 6 years later, I still cannot use the mobile app as it still doesn't work properly with PayPal's own security token (and by extension, the VIP mobile app and Yubikey). While the app now, at least, has supported for 2FA via SMS codes, they clearly do not work (for me), but even if they did, I want support for my VIP Yubikey, which I purchased solely for use with PayPal so as to not be reliant on mobile reception.

 

Longer term the app needs support for U2F and NFC-enabled keys, such as the Yubikey NEO, so that I don't need to carry a micro USB to USB adapter cable with me. If Lastpass and Github can do it, why can't PayPal?

 

As for the stored addresses, they can't possibly be cached. Some of these obsolete addresses I have not used since 2008/2009 and my PC has been reinstalled several times in the years since then.

 

As I've said in my previous message, PayPal's web design is broken on so many fronts. Here's another example: the Android app suggests setting up a PIN to make future logins easier and quicker (and less secure as it sidesteps 2FA), but nowhere in my account (on a PC) can I find a way to set up or change a PIN. In fact, there isn't even a way to change one's password. All the "new, redesigned, improved" profile page gives me is the option to change my name, photo, time zone, address, email address and telephone number. Even clicking the "Classic Site" link at the bottom only gives me an overview of the transactions, albeit in the classic format.

  

I'm pleased to hear that you will pass on my  f e e d b a c k   to the relevant team(s), but forgive me if I don't hold my breath for any changes. It's a shame that PayPal has such a monopoly on digital payments, for my experiences with the company are so bad that I'd use a competing service if I could, much like eBay.

 

EDIT: to add to my complaints about the utterly broken web design, why is an entire sentence without any swear words or bad language getting replaced by "**bleep**" because of the word "c h e c k" ?! Even the word "f e e d b a c k" in the last sentence gets replaced by "**bleep**"!! This is just crazy, I can't even leave normal language f e e d b a c k!! It's taken countless edits and over 20 minutes of my time just to edit this text  because of these two common words triggering some f o u l  (<- another one!) language filter!! (I have to add spaces to these words to avoid them getting replaced by **bleep**). Seriously not impressed.

Login to Me Too

Aerion
Contributor
Contributor

Well, Conor,  as requested, I did let you know how I got on, but, as expected, I did not hear back from you. No attempt to assist me further, and no reaction to the additional issues I mentioned.

 

It's now seven-and-a-half months later, and guess what, I'm still having the same issue. I just tried to pay for an item on eBay, but only got offered SMS as the 2FA option, despite having a Yubikey VIP. It took 16 minutes for the SMS to arrive, but as the code contained within was only valid for 5 minutes I had to request a second one (which came through instantly).

 

Why does it take me 16 minutes to pay for a £2.99 item?!

 

I have extremely poor mobile phone reception where I live, so SMS is the worst possible 2FA option. Please sort this out, and don't make me wait months to get an answer.

 

Why does PayPal even bother having these forums if they don't read them?

 

PayPal's support is amongst the worst I've ever come across, and as long as that carries on being the case, I'll keep posting public messages like this. Not that PayPal cares, regardless of cliche marketing speak like "We value your feedback", as no feedback I've ever provided has been valued. If eBay allowed other digital payment providers I'd drop PayPal in a heartbeat.

Login to Me Too

rossowheels
Contributor
Contributor

I'm having the same problem with my iPad and iPhone running iOS 10 latest version. Is there a workaround?

Login to Me Too

Aerion
Contributor
Contributor

No, there isn't, and most likely there will never be a fix as Connor is either ignoring this thread or has forgotten about it. In any case, PayPal aren't even remotely interested in fixing this problem.

 

Just today I had to wait 43 minutes for my codes to arrive, by which time I had given up and purchased the item elsewhere.

 

I've attempted to contact eBay about it in the hope that they will do something about it from their end, but all I received was a pushback to PayPal. When I insisted that this particular problem only occurs on eBay, I got a vague promise that they would escalate it internally, but that they weren't sure whether it would get implemented.

 

I avoid using eBay and PayPal like the plague because of their stinking attitude towards customers, yet feeling justified in charges pretty hefty fees for using their services.

 

If only eBay allowed alternative payment methods… If only there was a viable alternative to eBay…

 

And apparently they're OK with people posting negative feedback like this; it doesn't prompt them into action.

Login to Me Too

acamelo
Contributor
Contributor

Aerion, I'm so glad you have posted this as I have only just joined Paypal and one of the first things I noticed was the lack of proper support for 2FA applications (NOT SMS). SMS is unreliable as well as a security risk in my opinion, so I phoned support and was just told they dont support anything else apart from SMS 2FA. For a massive coporation like Paypal can they not introduce other 2FA Apps like google authenticator or 2FA??? Its really not that hard to do and most other good online vendors support it. 

 

Paypal - Start listening to your customers, the only reason you ignore is because of no competition, that will change one day so please listen and act on reasonable requests from customers.

 

Login to Me Too

Haven't Found your Answer?

It happens. Hit the "Login to Ask the community" button to create a question for the PayPal community.