New to the community? Welcome! Please read our Community Rules and Guidelines
Join the live Q&A with our Community moderator team Wednesdays, 1-2pm PT (4-5pm ET) and Fridays, 4-5pm GMT. Learn more in Community Events
I have just purchased a FIDO U2F Security Key and I am surprised to see how few business are using this 2-step authentication device given that they are registered members of the FIDO alliance (https://fidoalliance.org/participate/members-bringing-together-ecosystem/)
Needless to say PayPal features on these and yet they do not offer this ... why?
Can anyone (from PayPal or otherwise) shed any light on this?
Given that we've never had the option to use TOTP 2FA, only SMS 2SV, I'm not going to hold my breath.
This really isn't on for an organisation that is in the business that PayPal is, that is also supposed to be leading efforts for better security online.
SMS and voice calls is vulnerable to phishing. Please implement token MFA and if you're looking for options, FIDO2 U2F please.
I find laughable that a company that I am supposed to trust with my money do not support in any way the latest security features.
They are supposed to be leading in security technologies, and yet we only get to use outdated and broken (with public exploitation paths, see evilginx) more than a year ago. Other companies are already talking about FIDO2.
It looks like the successor to FIDO, Web Authentication, will be a W3C web standard. Paypal is part of the editorial process, with one previous and one current editor. If I had to take a wild guess, they are waiting until Web Authentication is formalized to roll out the feature.
Most standard browsers already support fido / u2f / webauth or even fido2. These browsers include Opera, Chrome, Firefox, and a few others.
I already use this login method for my Github and Bitbucket account via YubiKey 5 Nano.
Therefore, I hope that Paypal finally does expand its security standards.
More and more sites are getting support for U2F / FIDO. Even small forums do have support for it.
PayPal is one of the things where security does matter a lot. SO PLEASE SUPPORT U2F ASAP!
Webauthn has entered W3C recommended status, and here's a nice press release that came out today. Time to implement support, Paypal!