PayPal Community

Severheadcase · ‎Aug-06-2018

I have just purchased a FIDO U2F Security Key and I am surprised to see how few business are using this 2-step authentication device given that they are registered members of the FIDO alliance (LINK REMOVED)

Needless to say PayPal features on these and yet they do not offer this ... why?

Can anyone (from PayPal or otherwise) shed any light on this?

phuzi · ‎Aug-14-2018

Given that we've never had the option to use TOTP 2FA, only SMS 2SV, I'm not going to hold my breath.

This really isn't on for an organisation that is in the business that PayPal is, that is also supposed to be leading efforts for better security online.

RobertMarkEnger · ‎Dec-07-2020

I would like to add my voice to the many who are requesting modern 2FA (MFA) hardware-token be added to PayPal.

(Paypal is putting profit ahead of high security by allowing cheap SMS authentication, etc. And they are **bleep** the tax payer, as much of the cost of a security breach is transferred to the tax-payer, via the cost of police, prosecution, courts, (and hopefully) incarceration; not to mention the huge cost to the end-user who must change all their security infrastructure after a compromise. Paypal senior management are profiteering scum.)

Having unloaded that, I personally have a Paypal TOTP hardware token (Verisign VIP; basically a SecureID token). I have had it for years and years. It is FINALLY showing low-battery alert. It has provided many many years of good service. I would like to arrange a replacement with similar or stronger security. I am very disappointed that PayPal management prioritizes profit (and bonus check size) ahead of security. Modern day PayPal management is a disgrace, and a disservice to America (and all countries it does business in).

laugher · ‎Aug-21-2018

SMS and voice calls is vulnerable to phishing. Please implement token MFA and if you're looking for options, FIDO2 U2F please.

qwattash · ‎Sep-27-2018

I find laughable that a company that I am supposed to trust with my money do not support in any way the latest security features.

They are supposed to be leading in security technologies, and yet we only get to use outdated and broken (with public exploitation paths, see evilginx) more than a year ago. Other companies are already talking about FIDO2.

iandstanley · ‎Nov-16-2020

presumably they got their security staff from the banking sector

hadlock · ‎Oct-12-2018

It looks like the successor to FIDO, Web Authentication, will be a W3C web standard. Paypal is part of the editorial process, with one previous and one current editor. If I had to take a wild guess, they are waiting until Web Authentication is formalized to roll out the feature.

Severheadcase · ‎Oct-13-2018

Thanks @hadlock. Yes it seems that many will wait until there is a clear consensus on either FIDO or W3C authentication via a browser app. It will be interesting to see how they intend to do this and if third-party apps can be used or it will be hard coded into the browser. I would be conserned about hacking of software apps within a browser, whereas a hardware key is much harder. Let see shall we

MSinDev · ‎Jan-05-2019

Hi @Severheadcase.

Most standard browsers already support fido / u2f / webauth or even fido2. These browsers include Opera, Chrome, Firefox, and a few others.

I already use this login method for my Github and Bitbucket account via YubiKey 5 Nano.
Therefore, I hope that Paypal finally does expand its security standards.

Karmus · ‎Nov-12-2018

Gonna follow this thread for future updates on the matter.

PayPal Community

FIDO U2F Security Keys

Haven't Found your Answer?