Backup codes?

iyak
Contributor
Contributor

In 2FA setting, does PayPal provide backup codes, just in case of phone / authenticator loss?

Login to Me Too
32 REPLIES 32

PayPal_JonK
Moderator
Moderator

Hello @iyak

 

Thanks for reaching out! PayPal wouldn't necessarily offer any kind of backup codes since a new one is generated every 30 seconds. If you were to lose your phone / authenticator, you would need to reach out to our Customer Support to disable that 2FA method. 

 

Thanks!

 

 - Jon K


If you find this or any other post was helpful, make our community better by giving kudos or accepting it as a solution.
Login to Me Too

maara
New Community Member

Hello @PayPal_JonK - I have additional question to this topic then - considering that 2FA's purpose is adding another level to the basic login credentials, how does PayPal prevent a scenario when my login credentials are already leaked (not the core of my question) and the one who happens to get my leaked credentials call PayPal Customer Support to disable the 2FA? How would Customer Support confirm the identity of the caller?

I think the common practice of services providing a limited number of static backup codes for cases of losing the device with the code generating app (they usually have more digits) when activating 2FA is useful because it's still another level of security. While calling a customer support to just turn the 2FA off seems like the weakest link of the security to me, making the whole system actually not that secure. Is that not so?

Login to Me Too

vtvanda
New Community Member

Paypal: 

 

Backup Codes are a common backup plan for authenticator app and are used by many major industry and security leaders in that industry.  The also help prevent social engineering tactics used more and more often every day, and would be employed were I need to call, as you suggested.  Please provide this feature.  Having my phone number as a secondary 2-step authentication almost causes more vulnerabilities than it prevents, as it has been shown to be very vulnerable to man in the middle attacks.  

Login to Me Too

jdrch
Contributor
Contributor

I'm gonna strongly agree with the other users here that backup/recovery codes are standard account security practice, and it's quite unusual for PayPal to not offer them.

Login to Me Too

BobKrc
New Community Member

Thanks for reaching out! PayPal wouldn't necessarily offer any kind of backup codes since a new one is generated every 30 seconds. If you were to lose your phone / authenticator, you would need to reach out to our Customer Support to disable that 2FA method. 

 

You obviously don't understand what backup codes codes are and how they work. Also it is extremely worrisome that one can bypass 2FA by speaking to Customer Support. It means that with some amount of social engineering, one can break into a 2FA protected PayPal account.

 

So here is how the rest of the industry manages this: you are given a set of one-time authentification codes that you need to store securely. Each of them can be used as a 2FA key, but only once. This allows you to log into your account should you lose your authenticator device.

Login to Me Too

djnono17
Member
Member

@PayPal_JonK 

[quote]Thanks for reaching out! PayPal wouldn't necessarily offer any kind of backup codes since a new one is generated every 30 seconds. If you were to lose your phone / authenticator, you would need to reach out to our Customer Support to disable that 2FA method. [/quote]

 

That's not what backup codes are. Backup codes are a series of one-time codes that you give a user when he/she registers 2FA, and that allow connection in place of the authenticator, and allows you to disable/re-enable 2FA on another device (which is massively useful if you lost your phone and no longer have access to the Auth. App). 

 

They are far more secure than any phone-number based security as those are extremely easy to bypass (most phone operators will unfortunately create a cloned sim on request without too much checks).

 

Login to Me Too

jonpage999
Contributor
Contributor

@PayPal_JonK 

 

I felt the need to join the Paypal community site just to chime in on this. It's crazy that this standard mechanism is unavailable, and crazier still that over a year later the only response "from Paypal" is an entirely pointless response from a moderator who didn't understand the question.

 

I'm just sorting out all of my security, specifically re-generating and storing all of my backup codes, and Paypal is literally the only organisation whose 2FA doesn't allow me to do so.

 

This really isn't good enough, especially when the "backup" is apparently to call and get support to disable it... at least tell us how you believe this to be secure? There is no piece of information that a dedicated intruder couldn't procure to offer as "proof" of my identity, that is the entire problem that 2FA is supposed to avoid. Getting it disabled should be absolutely a total last resort, and require something close to being truly infallible. Do you replicate the setup by sending a small payment to my bank account with a code attached to it? Keeping my financial accounts secure is (as you'd expect) very important to me, I really would like clarity on Paypal's security mechanisms. 

Login to Me Too

Swizzler
Contributor
Contributor

@PayPal_JonK wrote:

 

 If you were to lose your phone / authenticator, you would need to reach out to our Customer Support to disable that 2FA method. 

 

Thanks!

 

 - Jon K


This is an awful answer, it's basically Paypal admitting they're vulnerable to Social Engineering attacks. Just provide the recovery codes, it's a standard feature of 2FA.

Login to Me Too

miball23
New Community Member

Yeah **bleep**, this is a security standard! This makes ZERO sense.

Login to Me Too

Haven't Found your Answer?

It happens. Hit the "Login to Ask the community" button to create a question for the PayPal community.