PayPal Community

You should update your medium article again, what I've described above is still a huge problem ... View more

On the bright side, I haven't been able to dig up the option to log in with just an SMS code in a while. (Read through this topic to find my earlier posts). I'm not convinced that this is entirely fixed because it seemed to intermittently come and go for a while. But personally I haven't seen it. My list of active second factors on my security page now includes a hardware security key and auth codes generated on my phone. I don't recall if sms was ever explicitly on the list but it's not there now. However, when I try to sign in, *after* putting my password, I can still bypass my preferred second factors and get an SMS. I'm glad that it's at least combining this with a password but I do not want it at all! Come on! Worse, I've stumbled into a new problem. If I don't give my password I can do a password reset via SMS code. When I do this, most sites will drop you back at the login page and make you sign in anyway, including any second factors you have turned on. Not Paypal! Once I put in the code from an SMS and type a new password, I'm logged into my account. You're reading that right. In effect, this is exactly the same scenario as before: no password, SMS code, no MFA, boom logged in. But it's even worse, because now the attacker has also *reset my password*at the same time. Wtf PayPal! It's one thing to force me to use SMS as a second factor when I already have two others turned on. It's a whole other world of stupid to give login and password reset control via a text message. The correct password emergency reset flow, which you've somehow apparently never seen, is: Send a code or link to *email* Allow password reset (Send a security notice via email so the user knows what happened, which you also didn't do) Redirect the user to the normal log in page in order to use her new password When logging in, still require the second factors as normal. It's not that complex. Login and password reset flow are, like, a completely solved technology. We've been doing this for decades. Just do what myspace does, dang. ... View more

Small update: I signed in a few hours ago to read the replies on this thread, and I was *still* given the option to sign in with a code which bypassed my password and authenticator app OTP. However, this time the code was sent to my email instead of my phone. I appreciate the slight improvement (assuming this wasn't some sort of fluke and an actual improvement made by the team) but to be clear that's still not good enough at all.  ... View more

It's like nobody told the paypal team what the "2" in "2FA" stands for. If I can sign in with a six digit code sent to my phone with NO password, that's only one factor of authentication! What really blows my mind is that not only does it skip my password, it even skips the authentication app that I just set up. Meanwhile if I choose "use password instead" it makes me type in my 25 digit password and then put a timed code in from my app. Hopefully anyone who gets access to my phone will be polite enough to choose this option.   Until then, I will be removing my cell number from this account and putting a Google Voice number instead (thankfully Google actually has good security practices) and I will be removing my banks and cards from this account. I will also make sure my family does the same and refuse to pay for services through paypal until this is resolved. I thought it was bad that Venmo doesn't even support 2FA except for SMS codes but at least they still ask for my password. How embarrassing.  ... View more