PayPal Community

iyak · ‎May-16-2019

In 2FA setting, does PayPal provide backup codes, just in case of phone / authenticator loss?

jroop · ‎Apr-27-2021

I agree with everyone else here that having backup codes is an important feature of Two Factor Authentication (2FA) that is missing from PayPal.

I also see that I can only register a single authenticator app instance for my account. If this were not the case, then a workaround would be to register a second authenticator app instance on a backup device (perhaps even the phone of someone you really trust). Since I can't do that either, however, I am left with the following choice:
1) Add my phone number as a backup authentication method or
2) Don't have any backup and risk getting locked out of my account if anything happens to my phone.

I decided to add my phone number as a backup authentication, but I feel that defeats the point of an authenticator app. Authenticator apps are more secure and I don't want it to be possible to use SMS instead of the app.

thomastthai · ‎May-14-2021

I thought I was nuts for not being able to find the backup codes for PayPal 2FA. Would you trust PayPal with your money when it is unwilling to properly implement 2FA and backup codes?

Swizzler · ‎Jul-14-2022

@jroop wrote:
I agree with everyone else here that having backup codes is an important feature of Two Factor Authentication (2FA) that is missing from PayPal.

I also see that I can only register a single authenticator app instance for my account. If this were not the case, then a workaround would be to register a second authenticator app instance on a backup device (perhaps even the phone of someone you really trust). Since I can't do that either, however, I am left with the following choice:
1) Add my phone number as a backup authentication method or
2) Don't have any backup and risk getting locked out of my account if anything happens to my phone.

I decided to add my phone number as a backup authentication, but I feel that defeats the point of an authenticator app. Authenticator apps are more secure and I don't want it to be possible to use SMS instead of the app.

It's even worse than your two numbered scenarios. Earlier A Paypal support rep in this topic said they will disable 2FA for you if you call them and report a lost authentication device, so the 2FA is just security theater at Paypal, it's not protecting anything.

gr5org · ‎Jul-02-2021

There is a solution! I just did it for my paypal account.

When you setup TFA (or you can cancel it and set it up again) and you get that QR code (with a text code under it) take a screen shot and print that out on paper. Save that paper in a safe, off site location (for example a safe deposit box or at work). You can scan that code months/years later and it will work!

I tested it out. I printed out on paper. I scanned the "live" screen code with my primary phone and then I scanned the paper with a second, offline phone. The two phones now create the same codes synchronized! The sheet of paper is in a safe place.

Alternatively leave the screenshot as a png file and save that somewhere or email it to yourself or whatever you feel is both convenient and also secure and will not get lost if your house burns down.

jonpage999 · ‎Jul-02-2021

@gr5org - That's not really a solution, that's just a new security issue. If you do happen to lose track of your backup codes, they don't give much away, and they only allow one-time access to your account. If during those accesses they chose to remove, or change, your 2FA settings, you would know about it. If instead you lose the information necessary to generate 2FA codes for your account, they have potentially unlimited access to your account, and won't have to change anything to maintain access. This would allow an attacker to monitor your account until a moment of maximum impact to cause damage (steal your money). With a one-time backup code (or set of) they have a small window of access to your account, and limited ability to keep tabs on it, with the ability to generate they have everything they need.

agirault · ‎Aug-11-2021

Paypal support: recovery/backup codes is a very standard feature in the industry to ensure that 2FA through authenticator has a secure recovery system. Please put it on your roadmap to bring it to your customers. Being able to get "unlocked" from 2FA through the phone is a security flaw that defeats the purpose of authenticator.

Calb300 · ‎Sep-07-2021

PayPal, backup codes are industry standard. Just had an issue where Android app wouldn't accept 2FA (strangely, web would) and wondered why I didn't have backup codes. You're scaring me, when you don't use basic best practice!

piknockyou · ‎Jan-29-2022

@PayPal_EJ ; @PayPal_BJ ; @PayPal_Jo ; @PayPal_Yi ; @PayPal_Jae

We'd love to hear from you.

So many users share the same opinion on this matter and PayPal is not responding ...

tramman · ‎May-10-2022

Just auditing my whole 2FA's and PayPal is the only one lacking recovery. Shameful

tankandusch · ‎Jul-14-2022

Chiming in once again to say that this is an absolutely *critical* piece of a useful 2FA architecture. Lacking support for backup codes, and allowing anyone who gets a couple basic pieces of biographical information to remove my 2FA over the phone, is exactly as good as not having 2FA at all.

PayPal Community

Backup codes?

Haven't Found your Answer?