cancel
Showing results for 
Search instead for 
Did you mean: 

Backup codes?

Highlighted
Contributor

Backup codes?

In 2FA setting, does PayPal provide backup codes, just in case of phone / authenticator loss?

8 REPLIES 8
Highlighted
Moderator

Re: Backup codes?

Hello @iyak

 

Thanks for reaching out! PayPal wouldn't necessarily offer any kind of backup codes since a new one is generated every 30 seconds. If you were to lose your phone / authenticator, you would need to reach out to our Customer Support to disable that 2FA method. 

 

Thanks!

 

 - Jon K


If you find this or any other post was helpful, make our community better by giving kudos or accepting it as a solution.
Highlighted
New Community Member

Re: Backup codes?

Hello @PayPal_JonK - I have additional question to this topic then - considering that 2FA's purpose is adding another level to the basic login credentials, how does PayPal prevent a scenario when my login credentials are already leaked (not the core of my question) and the one who happens to get my leaked credentials call PayPal Customer Support to disable the 2FA? How would Customer Support confirm the identity of the caller?

I think the common practice of services providing a limited number of static backup codes for cases of losing the device with the code generating app (they usually have more digits) when activating 2FA is useful because it's still another level of security. While calling a customer support to just turn the 2FA off seems like the weakest link of the security to me, making the whole system actually not that secure. Is that not so?

Highlighted
New Community Member

Re: Backup codes?

Paypal: 

 

Backup Codes are a common backup plan for authenticator app and are used by many major industry and security leaders in that industry.  The also help prevent social engineering tactics used more and more often every day, and would be employed were I need to call, as you suggested.  Please provide this feature.  Having my phone number as a secondary 2-step authentication almost causes more vulnerabilities than it prevents, as it has been shown to be very vulnerable to man in the middle attacks.  

Highlighted
New Community Member

Re: Backup codes?

I'm gonna strongly agree with the other users here that backup/recovery codes are standard account security practice, and it's quite unusual for PayPal to not offer them.

Highlighted
New Community Member

Re: Backup codes?

Thanks for reaching out! PayPal wouldn't necessarily offer any kind of backup codes since a new one is generated every 30 seconds. If you were to lose your phone / authenticator, you would need to reach out to our Customer Support to disable that 2FA method. 

 

You obviously don't understand what backup codes codes are and how they work. Also it is extremely worrisome that one can bypass 2FA by speaking to Customer Support. It means that with some amount of social engineering, one can break into a 2FA protected PayPal account.

 

So here is how the rest of the industry manages this: you are given a set of one-time authentification codes that you need to store securely. Each of them can be used as a 2FA key, but only once. This allows you to log into your account should you lose your authenticator device.

Highlighted
Member

Re: Backup codes?

@PayPal_JonK 

[quote]Thanks for reaching out! PayPal wouldn't necessarily offer any kind of backup codes since a new one is generated every 30 seconds. If you were to lose your phone / authenticator, you would need to reach out to our Customer Support to disable that 2FA method. [/quote]

 

That's not what backup codes are. Backup codes are a series of one-time codes that you give a user when he/she registers 2FA, and that allow connection in place of the authenticator, and allows you to disable/re-enable 2FA on another device (which is massively useful if you lost your phone and no longer have access to the Auth. App). 

 

They are far more secure than any phone-number based security as those are extremely easy to bypass (most phone operators will unfortunately create a cloned sim on request without too much checks).

 

Highlighted
New Community Member

Re: Backup codes?

I'm stunned to see there is no way to generate a backup code. 

 

Twitter only allows a single, single-use code, which makes it truly last-ditch, but at least it's available. I maintain some DropBox and Google backup codes in secure locations, which I can access through multiple methods (ie paper on a safe, telephone call to trusted party, encrypted online storage, etc). I also have a physical TOTP device for one of my VPN accounts which I keep sealed in a waterproof pouch when I'm on a journey.

 

How can PayPal not provide such a standard feature, and even worse how can they believe a telephone call is the answer if I'm traveling outside the country and making voice calls is difficult or impossible?

Highlighted
New Community Member

Re: Backup codes?

Backup codes are absolutely vital for every TFA method that uses a losable/breakable authenticator such as a phone app.

Every other 2FA system I've ever used offers this. PayPal, please get on the ball.