Why am I only allowed to create one security device for 2 factor authentication?

bpip
Contributor
Contributor

I want to utilize TWO Yubikeys so that I have a backup incase one is lost/stolen/breaks/etc. This is a VERY standard practice when using physical security devices like Yubikeys and as far as I've found, PayPal is the only service I'm using at the moment that hasn't allowed me to pair a a second YubiKey with my login for 2 factor authentication means. 

Am I missing something? Is there in fact a way to utilize a second key? I click on "add new device" just like before, but now I'm only presented the option of adding a phone number for SMS verification instead of the ability to pair a second physical security device... 

Login to Me Too
45 REPLIES 45

Byteflux
Member
Member

WOW holy crap. I have two yubikeys - one on my pc and one on my keychain for when I'm on the go. I've always added both to everything for convenience and security (In case one gets lost or stolen, I always have the second one to fall back to). I think it's frankly ridiculous, that they allow for a second phone number to be added, but not a second physical security key?

Login to Me Too

dinth
Contributor
Contributor

Not being able to have a backup key is totally nuts.

But that's not everything what is borked with 2FA on Paypal.

When im trying to set up my 2FA and i choose "Physical key" as my primary method, im being greet with a dialog asking me to set up Authenticator app (QR code, etc). Only after setting up Authenticator i can actually add physical key as a backup solution, and then swap them around, so physical key becomes a main solution, and authenticator a backup solution. Still havent found a way to get rid of Authenticator though.

 

PS. And what's about 20 character MAX length to the password? Seriously, Paypal is one of the most sensitive apps (if not THE most sensitive) i am using and at the same time it has one of the worst security.

And why am i constantly getting text message 2FA (literally like not having a 2FA at all...), even if i have set a physical key and authenticator app as my 2FA?

Login to Me Too

TheMadPhoenix
New Community Member

This is ridiculous that this is still an issue in 2023.  Paypal is one of the most sensitive apps that most of us use and should allow multiple security keys along with getting rid of the other options that are less secure.  C'mon Paypal, get with the security program.  

Login to Me Too

AbbaTabba
Member
Member

Was just on with PayPal support and they say they are looking into options. I can't believe they don't have at least 1 extra slot for a backup hardware security key. I have TOTP as a backup, but would still like to have an additional security key. Most places have about 5 entries, but could be coded for any practical number in reality.

Login to Me Too

aadamowski
Contributor
Contributor

My standard is to set up second factor with 4 different security keys on the same account. 1 primary personal, 1 backup personal, 1 primary from work laptop, 1 backup from secondary work station. A single slot is ridiculous!

Login to Me Too

sscarter
New Community Member

I see that this topic has been open for over a year with no resolution. Apparently Paypal does not look at feedback here. I just ran into this when I tried to enable 2FA for a second user on my account. Confirmed with the support team that 2FA can only be used with one user. That means any additional users cannot log in securely. Ridiculous.

Login to Me Too

niklasvoito
New Community Member

Just here to add: Fix this dump security issue @paypal

Login to Me Too

lucidnx
Member
Member

Well, I guess it should be added ASAP! I wonder who **bleep** this so badly...

Login to Me Too

pitos-rio
Contributor
Contributor

Still can add only one hardware key. When you will fix that?

Login to Me Too

ThxAndBye
Member
Member

I, too would like to add my backup key to PayPal as is the reccomendation by Yubico: "We at Yubico always recommend having more than one YubiKey. This way, one key can be used as a primary key, and the other can be used as a spare."

I'm also noticing that PayPal isn't listed in the "Works with YubiKey catalog". How much does @PayPal actually care about account security?

Login to Me Too

Haven't Found your Answer?

It happens. Hit the "Login to Ask the community" button to create a question for the PayPal community.