@gr5org - That's not really a solution, that's just a new security issue. If you do happen to lose track of your backup codes, they don't give much away, and they only allow one-time access to your account. If during those accesses they chose to remove, or change, your 2FA settings, you would know about it. If instead you lose the information necessary to generate 2FA codes for your account, they have potentially unlimited access to your account, and won't have to change anything to maintain access. This would allow an attacker to monitor your account until a moment of maximum impact to cause damage (steal your money). With a one-time backup code (or set of) they have a small window of access to your account, and limited ability to keep tabs on it, with the ability to generate they have everything they need.
... View more
@PayPal_JonK I felt the need to join the Paypal community site just to chime in on this. It's crazy that this standard mechanism is unavailable, and crazier still that over a year later the only response "from Paypal" is an entirely pointless response from a moderator who didn't understand the question. I'm just sorting out all of my security, specifically re-generating and storing all of my backup codes, and Paypal is literally the only organisation whose 2FA doesn't allow me to do so. This really isn't good enough, especially when the "backup" is apparently to call and get support to disable it... at least tell us how you believe this to be secure? There is no piece of information that a dedicated intruder couldn't procure to offer as "proof" of my identity, that is the entire problem that 2FA is supposed to avoid. Getting it disabled should be absolutely a total last resort, and require something close to being truly infallible. Do you replicate the setup by sending a small payment to my bank account with a code attached to it? Keeping my financial accounts secure is (as you'd expect) very important to me, I really would like clarity on Paypal's security mechanisms.
... View more