PayPal Community

This is not an adequate response.  As a security professional, I think it is a big miss that PayPal does not offer the use of an authenticator app or something like Yubikey.  SMS authentication is not safe authentication.  Anyone with moderate knowledge of tech can intercept the codes.  If someone performs a SIM card swap, a popular attack today, your second factor is useless.  For all practical purposes, you have what looks like strong authentication to those who don't know better, but it falls far short.

Hey Geokona. 

Welcome to the Community!

We appreciate your feedback and we will ensure to get it forwarded to the relevant teams. This may be introduced in the near future and we are always trying to build on the current security systems that are integrated on our website. 

Rest assured, as soon as there are any new updates on this, you will see this on the PayPal website.

I hope this helps.

David.

I dont understand how the leading online payment service hasn't got 2 factor authentication as a top priority feature!

Its truly shocking for this to be a feature that paypal are only just now looking at!

Paypal - "Come do almost all your online shopping with us, but we dont provide simple 2 factor authentication to protect you or your money."

There was a hardware 2fa security key floating around, which didnt catch much traction, so surely the authentication model is there already?!

I use a One-time password generated by Google Authenticator or my password manager (1Password) for all of my accounts that support 2FA. But here in Canada, the authenticator option isn't available.

The SMS Security Key is *horrible*. Not only is it insecure, but for some strange reason, it can take up to 10 minutes to receive the PayPal SMS. By that time, my transaction may have timed out.

Paypal: Please do better.

I concur with the others who contend that it is completely unacceptable for PayPal not to support Authenticator-type app 2FA at this point in time.

As others have noted, PayPal's "Security Key" method, which is SMS-based, does not constitute an acceptable 2FA implementation. Again, as others have noted, SMS is not secure and numerous low-tech attacks have been employed in order to intercept SMS messages, which renders SMS a non-option for 2FA.

There is absolutely no excuse for a vendor of PayPal's age, size, and stature not to have implemented a proper 2FA solution that utilizes an Authenticator-type app. None. There are coffee shop apps that have 2FA, for goodness's sake!

Time to get with the program, PayPal! You are stewards of peoples' hard-earned money! You have direct access to their bank accounts! And to wit, you force binding arbitration on  your customers, so they have virtually no recourse if somebody manages to gain unauthorized access to their accounts and steal their money out from under your behind-the-times, unsecure noses.

"We might implement it someday" doesn't fly! This should be at the very top of the priorities list!  Truly unbelievable and equally disappointing.

So I see that authenticator apps are now supported for Personal accounts.

When are business accounts picking this feature up?  Seems like it would make sense to protect the merchants/businesses/charities that are using the Paypal platform.   Right now, business accounts are lacking, and while SMS is clearly insufficient, you only allow 1 phone number to be used with a single business account, so if you have multiple, then you're pretty much stuck.  Same even if you used the security token, the serial# is limited to a single account.    Any word on when authenticator apps will come to the business users?