How do I disable one-time codes

Only1KW
Contributor
Contributor
Posted on
‎Nov-01-2021 12:38 PM

Recently when logging in, Paypal has started offering me the option of logging in with a one-time SMS code to my phone rather than a password.  This seems incredibly insecure to me and I'd prefer not to have it on my account.  I cannot find any way to disable this when I check my account settings.  I've spoken with half a dozen agents at this point about this, and half have told me it can't be disabled and half told me they'd send me instructions on how to disabled it, but either the instructions never arrived or were not relevant.  How do I go about disabling this feature on my account?

Login to Me Too
Login to Reply or Kudo
106 REPLIES 106

Typhoen
Contributor
Contributor
‎Jun-17-2023 11:09 AM

The "Log in fast with a one-time code" is not just a potential security threat, it's a bonafide absolute  100% security threat because my computer got hacked and someone was able to remotely log in to my desktop computer, gaining control of my desktop. Did they get into my BofA account through my browser? Nope, they needed a password. My Chase account? Nope, they didn't have a password for that either. Venmo? Uh-uh, no password. My PayPal account? Yep!!! Two clicks! First click, "Log in fast with a one-time code", and a code gets sent to my Messages desktop app, second click, autofill code, and they're logged into PayPal and draining my funds.

 

I was able to catch them in the middle of the heist and cut them off, but they were still able to drain some of my funds. This 'Log in fast with a one-time code" is not two-factor authentication, it's not even one-factor authentication. It's zero-factor authentication. on a desktop browser on the Mac, with the Messages app linked to your phone Messages app, it takes two clicks (<click>send code-<click>autofill code) to log in to PayPal. No password is necessary, and no authentication is necessary. So anyone with access to your desktop, either at the chair or remotely logged in, has instant access to your PayPal account. (And before someone starts criticizing my lack of desktop security having my Messages apps linked. As I mentioned above, they didn't get into any other banking accounts, just PayPal. Yes, I need to find out how they got in, tighten security, and close that hole, but only one banking platform was effortlessly compromised.)

 

But, "Hey some people might like this convenience!", fine, keep it as an option. But there are a lot of people who don't want it and there's no option to disable it. I don't even know where this "Log in fast with a one-time code" came from. I didn't ask for it or enable it. But the first thing I did after locking down my computer, going through my browser history to see what the culprit did, and changing passwords was to go look for the PayPal setting to disable this "feature". Guess what. There is no way to disable it, so there it sits, an extremely major security flaw front and center on a banking platform's login page. They might as well change "Log in fast with a one-time code", to "Click this button to steal this person's money."

 

This bulletin board is more secure. I have to prove "I'm not a robot" just to post this message.

Login to Me Too
Login to Reply or Kudo

yakyakyak
New Community Member
‎Jul-07-2023 03:42 AM

After seeing this feature for some time I just realised what a security flaw it is and looked it up. I am happy to see I am not the only one who has realised this. Equally unhappy that nothing has been done yet. It is worrying that large businesses more and more resent customers having any control over information, even their own passwords.

Login to Me Too
Login to Reply or Kudo

adampcompton
Contributor
Contributor
‎Sep-05-2023 06:54 AM

Just got an email survey link from PayPal/Venmo, so I used the opportunity to blast them about this horrific feature.  Came back to this thread to see if there was any update, and I found that my post was edited to remove the PayPal team members/mods that I tagged in a previous comment, hoping that they could potentially let the dev team know that this is a major issue.

Tagging some more again here to make sure this doesn't just keep getting swept under the rug:
[removed]

Login to Me Too
Login to Reply or Kudo

Only1KW
Contributor
Contributor
‎Sep-05-2023 07:10 AM

15 minutes later and the tags are already removed again.  Did it happen immediately upon posting?

Login to Me Too
0 Kudos
Login to Reply or Kudo

darkchiaki
Contributor
Contributor
‎Oct-07-2023 08:16 AM

As I don't see any change to this, and contact to Paypal is a pain by itself (yea, call them... really), I just type a little message in a contact form that was availible on "please give us your feedback on our service xxxx". Hell yes, I know this wil make noone jump up their chair and take any action, but little by little, maybe someone at Paypal will wake up.

 

And if soneone from Paypal is reading this, does the following ring a bell?

 

**********

 

Hi there. I hope this will find a real person, not only a bot comming up with a automatic standard reply. I do not see any other way to contact Paypal, so I'll write here. Please, PLEASE, can you disable the "feature" to log in to my account with a "one time passode by sms" INSTEAD of a password. Really, I DO NOT WISH to log in with ONLY a sms code and COMPLETELY BYPASS any password authentification. This one-factor-auth is a **bleep** by itself, it bybasses even 2FA as it only requires access to the phone linked in the account. And please, PLEASE, fire your entire security team, as anyone who think this one-time-passcode alone is safe in any way, has to be fired instantly. Thank you for reading, and for taking the nessesary steps to make Paypal a safe paymant method again. Thanks.

Login to Me Too
Login to Reply or Kudo

Executor32
Contributor
Contributor
‎Oct-07-2023 02:40 PM

It does appear that they've finally fixed this massive security flaw, as I am no longer provided the option to get a one-time SMS code instead of using my password. About damn time, it's a "feature" that should've never even been introduced in the first place.

Login to Me Too
0 Kudos
Login to Reply or Kudo

darkchiaki
Contributor
Contributor
‎Oct-07-2023 10:29 PM

@Executor32I tried to log in just a moment ago, and the option to use a one time code instead of a password was still there. To my nothing appears fixed. Just to note this, I'm from Switzerland, maybe they disable this "feature" in regions where they could be held responsible?

 

@kernowlassI think you didn't get the problem right, did you?

Everone here is talking about one-time-code INSTEAD of a password, wich equals to 1FA and is silly.

We are NOT talking about a one-time-code IN ADDITION to a password, wich would be real 2FA.

 

I didn't and don't have 2FA enabled ever. I'm even unable to delete my mobile number, and adding a new number as "home" and make this primary is not an option in account settings anymore. That's silly by itself, but wouldn't be a problem if we did not talk about this **bleep** one-time-code INSTEAD of a password.

Login to Me Too
Login to Reply or Kudo

kernowlass
Esteemed Advisor
Esteemed Advisor
‎Oct-08-2023 05:15 AM

@darkchiaki 

 

Sorry for trying to help. 

I get what you mean now but won't offer further advice at the risk of ''not getting the problem''. 


Advice is voluntary.
Kudos / Solution appreciated.
Login to Me Too
0 Kudos
Login to Reply or Kudo

tom_b_203
Contributor
Contributor
‎Feb-16-2024 02:20 PM

lmao you're a clown

you're the first reply to the thread, link an article for something else, get corrected, then come back 9 pages and 2 years later, link another irrelevant article, and then get offended when you get told it's not what OP is talking about.

Login to Me Too
0 Kudos
Login to Reply or Kudo

Haven't Found your Answer?

It happens. Hit the "Login to Ask the community" button to create a question for the PayPal community.