Request FIDO U2F as second factor.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am not happy (I suppose same goes for many of paypal customers out there) to purchase a key from each website I transact.
1. Security Questions are good.
2. TOTP token which we can use with Google Authenticator or other app is OK.
3. FIDO U2F is good actually Ingenious awsome second factor.
By good I mean we desire them. If in doubt Please learn from Google regarding authentication options.
Hope paypal listens to this positive feedback.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I recently tested a YubiKey NEO, and abandoned it almost immediately. Too much pain for too little gain. And I'm a technologist. My clients would never use it.
I use U2F. My clients use U2F. My clients who have had money stolen from their paypal account definitely use the app based authenticator too (but would prefer Fido U2F).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A technology that Cell networks use to to enable SMS is SS7, known as CCSS7 in the U.S. and C7 in the U.K.. It is a telecommunications standard that enables a digital signaling network to provide cellular and wired call setup, routing, and control. Any dedicated hacker can gain access to SS7, spoof the target’s phone number, and receive all texts and voice communication between the target and anyone else. This includes capturing one time passwords (OTPs) sent to phones used in two-factor authentication.
In 2016, Karsten Nohl of German Security Research Labs demonstrated an SS7 attack on U.S. Congressman Ted Lieu’s phone number. Also in 2016, Positive Technologies demonstrated how they could bypass use of SMS for authentication on WhatsApp, Telegram, and Facebook. These are not attacks against the phones. The phones were not hacked. These are attacks on SS7 using the target’s spoofed phone number.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Paypal engineers co-authored the FIDO U2F standard, so I assume they'll get around to supporting it at some point. Some sort of public timeline would be nice.
Paypal already supports a (non-open-standard) TOTP password via the "Symantec VIP" app. You can add these as "security keys" in your paypal account. I've found this buggy tho (e.g. paying via third party sites just hang when I have my key enabled in my PayPal profile - this has been broken for at least 6 months).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry, my mistake, they co-authored the Web API for accessing FIDO 2.0 credentials, and are part of the W3C working group which is producing a new web authentication API https://w3c.github.io/webauthn/
My guess is that they'll wait until this is finalised, and implemented in browsers before reworking their second factor auth. Which probably means 2 years or more from now.
Which is a shame, since Facebook just added FIDO U2F, and in the meantime 2FA on PayPal is poor/annoying/buggy.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@TimSmall wrote:Paypal engineers co-authored the FIDO U2F standard, so I assume they'll get around to supporting it at some point. Some sort of public timeline would be nice.
Paypal already supports a (non-open-standard) TOTP password via the "Symantec VIP" app. You can add these as "security keys" in your paypal account. I've found this buggy tho (e.g. paying via third party sites just hang when I have my key enabled in my PayPal profile - this has been broken for at least 6 months).
Symantec VIP is not secure -- uses the same serial number for all applications
(much like using the same password for all websites).
It's also poorly implemented in PayPal -- doesn't work when paying from eBay
(you have to use poor SMS authentication instead).
As I wrote above, PayPal badly needs to do much more in security.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
BTW, if you want to try the existing TOTP auth, you need to:
1. Install the Symantec "VIP Access" app on your phone.
2. Go to https://www.paypal.com/myaccount/settings/security
3. Click "update security key"
4. Click "get security key"
5. Click "cancel" on the "Register your mobile phone" page (no, really!) which takes you to https://www.paypal.com/cgi-bin/webscr?cmd=_activate-security-key-any
6. Enter the serial number from the Symantec app.
7. Hope it doesn't break logins from third party sites for you (if it does, you can always deactivate they key again).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry for the continual posts on this topic, but I suppose it prompted me to take the time to look into the 2FA login-hanging bug. I eventually fixed it by:
1. Clearing all trusted devices from Settings (this is just temporary if you use that feature).
2. Deleting all paypal domain cookies from my browser.
I then get prompted correctly for the VIP key when paying via third party sites.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
just 5ct: Using the HOTP-Token from Paypal for many years now which is very, very secure, comfortable and works like a charm!
But U2F-support would be very nice, as I have two 🙂
Michael
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@makki1 wrote:just 5ct: Using the HOTP-Token from Paypal for many years now which is very, very secure, comfortable and works like a charm!
Ebay are discontinuing the use of those tokens (you can currently use them as second factor auth on both sites), since you can no longer buy them from Paypal, I wonder when they'll drop them too?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
AND: On the mobile app it seems you have to have SMS enabled to use the mobile app at all... neither SMS nor VIP Key makes sense on mobile, as it's probably running on the same device anyway if stolen 🙂
Haven't Found your Answer?
It happens. Hit the "Login to Ask the community" button to create a question for the PayPal community.
- Trying to request money - can't type in the amount in About Payments
- Potentially fraudulent text message in Access and security
- Adding money with credit card only - without adding back account in About My Account
- How can I figure out the current process of my name change? in About Settings
- Getting conflicting messages from paypal in About My Account