FIDO U2F Security Keys

Severheadcase
Contributor
Contributor

I have just purchased a FIDO U2F Security Key and I am surprised to see how few business are using this 2-step authentication device given that they are registered members of the FIDO alliance (LINK REMOVED

Needless to say PayPal features on these and yet they do not offer this ... why?

 

Can anyone (from PayPal or otherwise) shed any light on this? 

Login to Me Too
19 REPLIES 19

RAYs3T
New Community Member

More and more sites are getting support for U2F / FIDO. Even small forums do have support for it.

 

PayPal is one of the things where security does matter a lot. SO PLEASE SUPPORT U2F ASAP!

Login to Me Too

jbclements
Contributor
Contributor

Webauthn has entered W3C recommended status, and here's a nice press release that came out today. Time to implement support, Paypal!

 

https://www.w3.org/2019/03/pressrelease-webauthn-rec.html.en

Login to Me Too

qwattash
Contributor
Contributor

I am extremely disappointed with paypal lack of concern for security. SMS OTP have been considered bad for a long time now, it is simply appalling that a company as large as PayPal is years behind with respect to security standards. It really shows what they really care about.. If any of the competitors were to introduce better security support I would switch without a thought.

I understand that most people only use their password and can't be bothered, and that's their choice, but it's sad that the general lack of awareness is an excuse to delay the adoption for better technologies. In my opinion large companies like PayPal have the social responsibility of making better security tools available to the general public.

Login to Me Too

THX11384EB
New Community Member

If I buy a Yubikey 5 NFC will it likely be supported by Paypal later or would I need a Yubikey which doesn't exist yet (i.e. the Yubikey 6 or 7). I don't want to buy a 5 if it will be incompatible with whatever Paypal are supposedly brewing.

Login to Me Too

TimBB85
New Community Member

I have just bought a Yubikey 5 and can't believe that PayPal no longer supports the device. 

 

PayPal - can anybody advise whether there are any plans to give users the option of using a hardware security key, such as Yubikey, for 2fa again in the future? Regularly having to use authenticator apps on my phone (which is badly cracked, and so sometimes unresponsive!) is becoming increasingly frustrating in many cases, and yet 2fa is increasingly necessary and important to properly secure accounts and data. The hardware security key is certainly a convenient alternative to authenticator apps and seem more secure as a method of 2fa than PayPal currently offer too.

Login to Me Too

ter9
Contributor
Contributor

Hello all,

 

I'd like to bump this thread - one aspect that was not mentioned is that even without u2f, there are lots of third party apps like Google Authenticator, DuoMobile, etc, which could be easily implemented -- relying on SMS and voice call only is very concerning, the dangers of SIM swapping and other techniques are well known!

Login to Me Too

andmalc
Contributor
Contributor

Actually TOTP authentication (temporary six digit codes like from Google Authenticator) is now available with Paypal.   I just used it to log in here.  This is a big improvement over codes via SMS.

Login to Me Too

jjoonathan
Member
Member

Yeah, PayPal really needs U2F. It's a lot easier and a lot more secure than TOTP.

Login to Me Too

gts2
Member
Member

Does a Paypal representative read these community concerns? I am new here (never had a problem or concern like this before), but it is very surprising to me that this concern has not received a reply.  However, I do not have any doubt that Paypal doesn't understand the importance of implementing FIDO 2FA (two factor authentication.) This much is very clear.
 
Dear Paypal representative,

If you read this, then put this at the top of your list! Trust us. I am embarrassed to know that FIDO u2f & FIDO2 authentication options are not available on this platform. I am actually a bit surprised that one or the other is not MANDATORY! 

Paypal executives are saying we have insurance for the accounts that get hacked.  That view completely ignores the financial privacy of anyone that has ever used PayPal.  Shame on you PayPal for this recklessness. 

If you go to this website: https://fidoalliance.org/members/ , you will see that PayPal is a "Board Level Member." This is the FIDO Alliance.  Yet, PayPal doesn't allow us to use these FIDO certified devices to secure our own and customers financial privacy. 

For your convenience, here is a photo of that page:PAYPAL-FIDO.png

This quote below, from the article  https://www.darkreading.com/endpoint/i-hacked-my-accounts-using-my-mobile-number-heres-what-i-learne... , from a director at a cyber-risk investigations company and a former FBI cyber analyst destroys SMS 2FA as secure.

 

"Lessons Learned
What did I learn from hacking my accounts with my mobile phone? Mainly, if my accounts hadn't been linked to my mobile phone and were solely protected by the complex passwords I use, they would have been more secure."

You may have a very secure long passphrase as your PayPal password. But, an attacker just gives $20 to a minimum wage helpdesk employee at your cell phone provider and your phone number gets transferred to a phone in Germany. This happened while you slept and all your passwords that can be reset via a cell phone, have been changed. You can't access your cell phone account because you are calling from a different number and you don't know the PIN, password or the new German address. PayPal will send you a SMS or email to reset your password.  But, your email account passwords have been changed too. 

This is just one way it can happen. There are many other attack vectors that will result in loss of access to your PayPal account and the pilfering of the financial contents thereof.  The only thing worse than using SMS for a password reset is using your Mother's maiden name.

PayPal may not see this coming, but this reckless behavior is circulating among security researchers as I speak. See this for example: https://techbeacon.com/security/sim-swapping-researchers-name-shame-sms-2fa-fails

 

It should floor everyone that a board level member of the FIDO alliance is not proactively advocating, teaching and bringing to its members this very technology. PayPal is taking this a step further by not allowing it. 

This technology works very well too. Google gave 85,000 employees FIDO security keys ($15 each) in early 2017, when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes (TOTP). Today, not a single account has been breached.  Google it! 

If our customers were to know that their private financial information was NOT protected by proven and effective security measures that are very easy to implement, but are actually easier to hack than their email account... I just don't know what to say at this point.

 

PayPal allows TOTP, but that wastes millions of person-hours a year. It is slow and it is not secure enough for my customers! Here is an article that shows one way TOTP fails: https://www.itproportal.com/features/three-ways-attackers-get-around-totp-authentication/


Yes, that was a few months ago and is still in the wild.  I guess this is the size limit on a post in PayPals forum here. I only have one more line available to me. Maybe someone that cares will see this and PayPal will make a change for the betterment of everyone that uses its service.

Login to Me Too

NYOBone
Member
Member

just bought a device aswell and very disappointed this is not supported

Login to Me Too

Haven't Found your Answer?

It happens. Hit the "Login to Ask the community" button to create a question for the PayPal community.