cancel
Showing results for 
Search instead for 
Did you mean: 

Backup codes?

iyak
Contributor

Backup codes?

In 2FA setting, does PayPal provide backup codes, just in case of phone / authenticator loss?

19 REPLIES 19
PayPal_JonK
Moderator

Re: Backup codes?

Hello @iyak

 

Thanks for reaching out! PayPal wouldn't necessarily offer any kind of backup codes since a new one is generated every 30 seconds. If you were to lose your phone / authenticator, you would need to reach out to our Customer Support to disable that 2FA method. 

 

Thanks!

 

 - Jon K


If you find this or any other post was helpful, make our community better by giving kudos or accepting it as a solution.
maara
New Community Member

Re: Backup codes?

Hello @PayPal_JonK - I have additional question to this topic then - considering that 2FA's purpose is adding another level to the basic login credentials, how does PayPal prevent a scenario when my login credentials are already leaked (not the core of my question) and the one who happens to get my leaked credentials call PayPal Customer Support to disable the 2FA? How would Customer Support confirm the identity of the caller?

I think the common practice of services providing a limited number of static backup codes for cases of losing the device with the code generating app (they usually have more digits) when activating 2FA is useful because it's still another level of security. While calling a customer support to just turn the 2FA off seems like the weakest link of the security to me, making the whole system actually not that secure. Is that not so?

vtvanda
New Community Member

Re: Backup codes?

Paypal: 

 

Backup Codes are a common backup plan for authenticator app and are used by many major industry and security leaders in that industry.  The also help prevent social engineering tactics used more and more often every day, and would be employed were I need to call, as you suggested.  Please provide this feature.  Having my phone number as a secondary 2-step authentication almost causes more vulnerabilities than it prevents, as it has been shown to be very vulnerable to man in the middle attacks.  

jdrch
New Community Member

Re: Backup codes?

I'm gonna strongly agree with the other users here that backup/recovery codes are standard account security practice, and it's quite unusual for PayPal to not offer them.

BobKrc
New Community Member

Re: Backup codes?

Thanks for reaching out! PayPal wouldn't necessarily offer any kind of backup codes since a new one is generated every 30 seconds. If you were to lose your phone / authenticator, you would need to reach out to our Customer Support to disable that 2FA method. 

 

You obviously don't understand what backup codes codes are and how they work. Also it is extremely worrisome that one can bypass 2FA by speaking to Customer Support. It means that with some amount of social engineering, one can break into a 2FA protected PayPal account.

 

So here is how the rest of the industry manages this: you are given a set of one-time authentification codes that you need to store securely. Each of them can be used as a 2FA key, but only once. This allows you to log into your account should you lose your authenticator device.

djnono17
Member

Re: Backup codes?

@PayPal_JonK 

[quote]Thanks for reaching out! PayPal wouldn't necessarily offer any kind of backup codes since a new one is generated every 30 seconds. If you were to lose your phone / authenticator, you would need to reach out to our Customer Support to disable that 2FA method. [/quote]

 

That's not what backup codes are. Backup codes are a series of one-time codes that you give a user when he/she registers 2FA, and that allow connection in place of the authenticator, and allows you to disable/re-enable 2FA on another device (which is massively useful if you lost your phone and no longer have access to the Auth. App). 

 

They are far more secure than any phone-number based security as those are extremely easy to bypass (most phone operators will unfortunately create a cloned sim on request without too much checks).

 

jonpage999
Member

Re: Backup codes?

@PayPal_JonK 

 

I felt the need to join the Paypal community site just to chime in on this. It's crazy that this standard mechanism is unavailable, and crazier still that over a year later the only response "from Paypal" is an entirely pointless response from a moderator who didn't understand the question.

 

I'm just sorting out all of my security, specifically re-generating and storing all of my backup codes, and Paypal is literally the only organisation whose 2FA doesn't allow me to do so.

 

This really isn't good enough, especially when the "backup" is apparently to call and get support to disable it... at least tell us how you believe this to be secure? There is no piece of information that a dedicated intruder couldn't procure to offer as "proof" of my identity, that is the entire problem that 2FA is supposed to avoid. Getting it disabled should be absolutely a total last resort, and require something close to being truly infallible. Do you replicate the setup by sending a small payment to my bank account with a code attached to it? Keeping my financial accounts secure is (as you'd expect) very important to me, I really would like clarity on Paypal's security mechanisms. 

Swizzler
Contributor

Re: Backup codes?


@PayPal_JonK wrote:

 

 If you were to lose your phone / authenticator, you would need to reach out to our Customer Support to disable that 2FA method. 

 

Thanks!

 

 - Jon K


This is an awful answer, it's basically Paypal admitting they're vulnerable to Social Engineering attacks. Just provide the recovery codes, it's a standard feature of 2FA.

CallMeDave
New Community Member

Re: Backup codes?

I'm stunned to see there is no way to generate a backup code. 

 

Twitter only allows a single, single-use code, which makes it truly last-ditch, but at least it's available. I maintain some DropBox and Google backup codes in secure locations, which I can access through multiple methods (ie paper on a safe, telephone call to trusted party, encrypted online storage, etc). I also have a physical TOTP device for one of my VPN accounts which I keep sealed in a waterproof pouch when I'm on a journey.

 

How can PayPal not provide such a standard feature, and even worse how can they believe a telephone call is the answer if I'm traveling outside the country and making voice calls is difficult or impossible?