I tried to setup 2FA (Two Factor Authentication) on my account. IT gives the usual options you see on other sites, "Text Me A Code", "Use An Authenticator App", or "Use a Security Key". The first option to text a code is a horrible 2FA method and any site that takes security seriously should not offer it because it's too easy to bypass with SIM-Swapping, and non-tecnhical users may not realize this and assume its safe. Authenticator apps are a decent option but annoying to use. Then there's Security Keys (in this context I mean a "real" security key like a Yubikey or Titan Key). But this isn't what PayPal offers when you select "security key" no they mean an authentication app that's not an app but a PayPal branded hardware device. That's kind of a joke I see no real reason to use that over an authenticator app. I am not even sure why PayPal has them as an option quite frankly. But if you are going to offer them don't call them something they are not. They are not "security keys"! So first is stop confusing users by calling it something its not, best terms I could think of is a "PayPal token". But the name isn't the real problem (though it is very mis-leading). The problem is the lack of support for a "real" Security Key that uses U2F. If you take security seriously this NEEDS to change!
