Hi! I was rather delighted recently to find that PayPal had added support for WebAuthn/Passkey authentication in addition to TOTP, but I found rather quickly that the implementation has some rather serious shortcomings that I'd very much like to see fixed, namely: 1. The site only allows for one registered authenticator per account. The absolute norm with WebAuthn is that an account should be able to have several authenticators registered. Partly for backup/fallback, but also because many WebAuthn authenticators are device-bound. Common examples would include Windows Hello, or non-synced smartphone biometric authenticators. 2. When I try to log in on my smartphone, the site tells me that WebAuthn is only supported on desktop platforms and that I need to use some other method when logging in on my phone, and I see no reason why this should be the case, since WebAuthn is perfectly well supported on mobile platforms, and if anything they are the premier home for it with more widespread support for built-in authenticators. 3. More as a bonus rather than as a strict shortcoming, it would be nice if PayPal would support password-less authentication using WebAuthn rather than simply using WebAuthn as a second factor, a la "Passkeys". Are these things I can look forward to seeing fixed?
... View more