How do I disable one-time codes

Only1KW
Contributor
Contributor

Recently when logging in, Paypal has started offering me the option of logging in with a one-time SMS code to my phone rather than a password.  This seems incredibly insecure to me and I'd prefer not to have it on my account.  I cannot find any way to disable this when I check my account settings.  I've spoken with half a dozen agents at this point about this, and half have told me it can't be disabled and half told me they'd send me instructions on how to disabled it, but either the instructions never arrived or were not relevant.  How do I go about disabling this feature on my account?

Login to Me Too
102 REPLIES 102

MrFusion
Contributor
Contributor

I messaged Paypal through the website about removing this and all they did was remove 2FA! Unbelievable that this security issue has been ignored, and none of their support team seem to understand the implications of using a mobile phone number in 2FA.

We as users should have the option to remove this one-time code option sent via SMS. A one-time code used via an authenticator app would be much more secure.

Login to Me Too

maxigalera
New Community Member

I'm also concerned about this feature and wanted to support above comments with my message adding visibility. SMS one-time code shouldn't be considered as a default security feature and at least we should have the choice to disable it and leave only 2FA through an authenticator app, a physical key or whatever.

 

Hope Paypal fix this soon.

 

Cheers

Login to Me Too

VirusDancer
Member
Member

Meh, yeah, happened to me today.  Woke up to see there had been a text sent to my phone.  I login to PayPal the normal way with password and 2FA.  There have been no withdrawals, but when I check the managed machines - I see a machine named ginna in there that had accessed the account.  I remove it, hoping that what it says about requiring additional security to login - but given this one-time code bypasses 2FA, I don't have much hope it will make any difference.  I did see the post about changing the number to a Google Voice number, but when I tried that they say it can't be a VOIP number.

 

There doesn't appear to be any sort of news coverage of the matter that might drive PayPal to make any changes here.

Login to Me Too

JawasForJesus
Member
Member

Same thing here. Got hit with 4 one time requests back to back. Had a good 10+ year run looks like I'm removing all cards and info until this is resolved. RIP my paypal acc.

Login to Me Too

acegrrl
Contributor
Contributor

I guess its goodbye Paypal for me.  Shocking how poorly secure this option is, and no way of turning it off!  

I have got 4 one-time codes delivered to my cell phone suggesting that someone is using my email to generate them, and probably has my phone number too, so high risk of getting access.

You can set up all the 2FA you want, but if someone has your email and phone number, they can get access to your account through this one-time code feature.

 

 

Login to Me Too

shooper6
Contributor
Contributor

It's like nobody told the paypal team what the "2" in "2FA" stands for. If I can sign in with a six digit code sent to my phone with NO password, that's only one factor of authentication! What really blows my mind is that not only does it skip my password, it even skips the authentication app that I just set up. Meanwhile if I choose "use password instead" it makes me type in my 25 digit password and then put a timed code in from my app. Hopefully anyone who gets access to my phone will be polite enough to choose this option.

 

Until then, I will be removing my cell number from this account and putting a Google Voice number instead (thankfully Google actually has good security practices) and I will be removing my banks and cards from this account. I will also make sure my family does the same and refuse to pay for services through paypal until this is resolved. I thought it was bad that Venmo doesn't even support 2FA except for SMS codes but at least they still ask for my password. How embarrassing. 

Login to Me Too

Sea_Monkey
Member
Member

Discovered this asinine security """feature""" after trying to set up TOTP 2FA and then watching it be bypassed entirely with an SMS code. What even is the point of all those other security options Paypal provides in its settings if it permits anyone to access my account with just an sms instead of the password. And then ignoring an issue for so long? Obviously I'm closing my account.

Login to Me Too

mattaw
Member
Member
The irony of having to enter my password & 2fa totp code to reply to your post, yet an automatic code sent to my phone for transferring money is overwhelming. PayPal, is this a sick joke? We are not finding this funny.
Login to Me Too

shooper6
Contributor
Contributor

Small update: I signed in a few hours ago to read the replies on this thread, and I was *still* given the option to sign in with a code which bypassed my password and authenticator app OTP. However, this time the code was sent to my email instead of my phone. I appreciate the slight improvement (assuming this wasn't some sort of fluke and an actual improvement made by the team) but to be clear that's still not good enough at all. 

Login to Me Too

Executor32
Contributor
Contributor

I figured out how to switch it to email codes instead of texting them.

 

On the website, open the Settings page, then under Phone Numbers click "Change" next to your mobile number, uncheck the box next to "Send you text messages", and click "Done".

 

Or, in the app, tap your profile icon in the top right, then tap "Account info", then "Phone Numbers", then your mobile number, and turn off the toggle next to "Send you text messages".

 

Still no way to disable the feature entirely, unfortunately, but I trust my email account's security a lot more than I do my SIM card's.

Login to Me Too

Haven't Found your Answer?

It happens. Hit the "Login to Ask the community" button to create a question for the PayPal community.