Why is SMS our 2nd factor?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why on earth would PayPal still be using SMS authentication as a second factor? It was deprecated as an acceptable security standard in July of 2016 by NIST. Reddit was recently compromised due to its reliance on SMS as a second factor on their internal servers and lost password databases and source code to hackers. Our PayPal accounts hold vast amounts of purchasing power, but we rely on a second factor authentication that hasn't been considered secure for more than two years by one of the slowest-moving government organizations in existence!
We have to demand better as a community. There is too much at stake.
Sources:
https://www.theregister.co.uk/2016/07/24/nist_says_sms_no_good_for_authentication
https://www.theregister.co.uk/2016/12/06/2fa_missed_warning/
https://www.theverge.com/2017/9/18/16328172/sms-two-factor-authentication-hack-password-bitcoin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
PayPal does offer an additional security setup for some accounts. If you see an option for Verisign Vip in the following PayPal link, then it should be available to you. https://www.paypal.com/us/cgi-bin/webscr?cmd=_setup-security-key
For PayPal's Verisign 2FA setup, you'll need these two links.
https://vipmobile.verisign.com/
https://www.paypal.com/us/cgi-bin/webscr?cmd=_setup-security-key
When activating Verisign 2FA, you'll need your Access app Credential ID (enter your entire Credential ID in the serial number box) and two unique security codes (the second security code will be the code that follows the first after 30 seconds). You'll be able to deactivate Verisign 2FA from the security tab in your PayPal profile.
You wont be able to log into the PayPal app if using Verisign 2FA.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unfortunately, this is the SMS solution I was talking about. The only hardware token solution PayPal offers is for PayPal business customers. For consumer accounts, it is not available.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Although the interface is very confusing, this worked for me. When you are at the page:
https://www.paypal.com/us/cgi-bin/webscr?cmd=_setup-security-key
you need to click on the right box link that brings you to:
https://www.paypal.com/it/cgi-bin/webscr?cmd=_activate-security-key-any
and treat the VIP Access application as it was a physical key. Insert the Credential ID reported by the VIP Access application into the Serial number field and then put two consecutively-generated security codes.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Came here trying to figure out the same thing, and was disappointed.
My opinion is that any site begging for your mobile phone number "to secure your account" wants your mobile phone number much more than they want to give you additional security. The promise of additional security is just a great way to persuade you to hand it over.
With all the independent, cross-platform, free of charge mobile phone apps available to perform 2 factor authentication (freeOTP, Authy, Google Authenticator etc) there is no excuse for Paypal not implementing something better, apart from "WE WANT YOUR MOBILE NUMBER"
In the light of GDPR, it is also worth noting that Paypal's privacy policy allows them to share pretty much everything with pretty much anyone:
"5. Do We Share Personal Data?
We may share your Personal Data or other information about you with others in a variety of ways.."
...so I guess I will just stick with a password for now, and Paypal can continue to bear the cost of any disputes caused by my account being hacked...
Haven't Found your Answer?
It happens. Hit the "Login to Ask the community" button to create a question for the PayPal community.
- Solution for PayPal asking for bank/ credit card upon payment for example on EBay in Payments Archives
- Security Check Error in Payments Archives
- Hacker!Have someone a solution? in Disputes and Limitations Archives
- Since PS2D cannot utlize tokens from Google Authenticator for 2FA login? in My Account Archives
- How to add back bank that was removed because of insufficient funds? in My Money Archives