PayPal Community

@PayPal_JonK Are you actually reading our comments? It would appear not.

We are asking for 2FA that uses an AUTHENTICATOR APP because SMS is insecure and we don't want yet another, PayPal-branded hardware security token when we all have mobile devices that already support authenticator apps.

@cbj4074,

I'd be happy to clarify further. After selecting "Update" next to "Security Key", you'll see the option to use / enter your mobile number or you can select "Activate a new security key token". Click that, then jump over to your phone and download the VIP Access app.

The VIP Access app can be downloaded via Google Play Store or Apple App Store. From there, you'll see the serial number to use and follow the instructions from there back on your computer. 

Once activated, you'll use that app to generate a new 6 digit code to be used at every login.

Best of luck!

 - Jon K

Which only "sorta" works.

That app provides a serial number that is usable for a single account, so we're back to a situation where you can secure 1 account and not multiple accounts.   What's really crazy about this is that Paypal already enabled authenticator apps for personal accounts, and if you'd just do the same thing here, then there'd be unlimited account support, and significantly better account security and ease of use.

-Erick

@PayPal_JonK Thank you for clarifying, and I appreciate your patience and level-headed tone, despite my apparent frustration with the status quo.

The VIP Access app is certainly better than nothing, and until you explained how to enable it in your previous post (for which I gave you kudos), it was in no way apparent that one is able to use a mobile device in lieu of needing a PayPal-branded security card or token.

The page in question (pictured below) should be modified to explain that!

Out of curiosity, why doesn't PayPal simply extend the multi-app authenticator (e.g., Google Authenticator, Microsoft Authenticator, etc.) support to Business accounts, as it has for Personal accounts, as @ekrueger suggests? Is there some technical reason for which doing so is infeasible?

This "VIP Access app" you mention is made by Symantec.

For the love of Pete, no one I know would even consider installing their software.

Does Paypal not provide/sell the card and/or dongle shown on the web page?

Better yet, I would like to use my YubiKey or Titan.

Please advise.

Sláinte,

Pad

Actually authenticator apps aren't that secure anymore either.

For best security practices a hardware token like a yubikey is now recommended.

They have NFC enabled ones now that takes the PITA out of it.

@Garbunkle Are you able to provide a citation that explains why Authenticator-style apps are no longer viable? Thanks!

@PayPal_JonKI installed the VIP Access app. I didn't realize that it's a Symantec product, and not PayPal's home-brewed solution. That makes me feel (only marginally) better. 😉

In any case, there are no real "instructions" to speak of in the app itself. Specifically, it's not clear what value needs to be entered into the "Serial number" field in the PayPal interface (of which I provided a screenshot in my previous post). Is this the "CREDENTIAL ID" that appears at the top of the VIP Access app interface? Or some other value?

I've tried entering the full value, e.g., "SYMC XXXX XXXX" (there are 8 numeric digits in place of those Xs) and then the 6-digit code, followed by the next 6-digit code that appears within 30 seconds of the first, and I get: