cancel
Showing results for 
Search instead for 
Did you mean: 

FIDO U2F Security Keys

FIDO U2F Security Keys

I have just purchased a FIDO U2F Security Key and I am surprised to see how few business are using this 2-step authentication device given that they are registered members of the FIDO alliance (https://fidoalliance.org/participate/members-bringing-together-ecosystem/) 

Needless to say PayPal features on these and yet they do not offer this ... why?

 

Can anyone (from PayPal or otherwise) shed any light on this? 

8 REPLIES
Member

Re: FIDO U2F Security Keys

Given that we've never had the option to use TOTP 2FA, only SMS 2SV, I'm not going to hold my breath.

 

This really isn't on for an organisation that is in the business that PayPal is, that is also supposed to be leading efforts for better security online.

Tags (4)
New Community Member

Re: FIDO U2F Security Keys

SMS and voice calls is vulnerable to phishing. Please implement token MFA and if you're looking for options, FIDO2 U2F please.

New Community Member

Re: FIDO U2F Security Keys

I find laughable that a company that I am supposed to trust with my money do not support in any way the latest security features.

They are supposed to be leading in security technologies, and yet we only get to use outdated and broken (with public exploitation paths, see evilginx) more than a year ago. Other companies are already talking about FIDO2.

Tags (3)
New Community Member

Re: FIDO U2F Security Keys

It looks like the successor to FIDO, Web Authentication, will be a W3C web standard. Paypal is part of the editorial process, with one previous and one current editor. If I had to take a wild guess, they are waiting until Web Authentication is formalized to roll out the feature.

Re: FIDO U2F Security Keys

Thanks @hadlock. Yes it seems that many will wait until there is a clear consensus on either FIDO or W3C authentication via a browser app. It will be interesting to see how they intend to do this and if third-party apps can be used or it will be hard coded into the browser. I would be conserned about hacking of software apps within a browser, whereas a hardware key is much harder. Let see shall we
New Community Member

Re: FIDO U2F Security Keys

Hi @Severheadcase.

Most standard browsers already support fido / u2f / webauth or even fido2. These browsers include Opera, Chrome, Firefox, and a few others.

I already use this login method for my Github and Bitbucket account via YubiKey 5 Nano.
Therefore, I hope that Paypal finally does expand its security standards.

Tags (4)
New Community Member

Re: FIDO U2F Security Keys

Gonna follow this thread for future updates on the matter.

New Community Member

Re: FIDO U2F Security Keys

More and more sites are getting support for U2F / FIDO. Even small forums do have support for it.

 

PayPal is one of the things where security does matter a lot. SO PLEASE SUPPORT U2F ASAP!