You don't have to have a background in digital security to know how asinine it is to be forced to have one time passcode via SMS is an option. 2FA via SMS is not great as is, but in every other site I've ever seen, it's a second factor. With how paypal does it, it's an SMS as a single factor. In short, when you enable 2FA, you increase your security if using a password to sign in, but overall actually reduce security because you go from requiring a password that hopefully only you know and is different from other sites, to instead being susceptible to a multitude of attacks that would give access to your SMS, and thus give easy access to your paypal account. PayPal, how do you not understand how this works? Your forced inclusion of one-time passcode after enabling 2FA introduces a new option that doesn't need 2 factors, and entirely defeats the purpose of what 2FA is supposed to do. I'm just a low-tier IT admin and even I know how completely backwards this is, how does a massive company like yourself not have anyone working there questioning how absolutely stupid this is in terms of security?
... View more