PayPal two-factor authentication became available to users in far 2007. Everybody wishing to protect their PayPal login could order a $5 security token directly from their account.
Unfortunately, later the company discontinued the use of its own hardware tokens in favor of SMS-based authentication, decreasing PayPal security considerably. But the situation with PayPal two-factor authentication is changing once again, for the better now:
- Since 2018, you can use MFA applications to log into PayPal (Google Authenticator, Protectimus Smart, etc.)
- As MFA apps are available, it’s also possible to use hardware security keys again. There’s just one catch — only programmable tokens will fit for PayPal two-factor authentication.
How do I enable PayPal 2FA?
To activate two-factor authentication in PayPal sign in your account and navigate to the settings menu.
Choose the Security tab.
In the “2-step verification” section, click Set Up.
At this point, you’ll need to choose one of the available two-factor authentication methods: SMS or MFA application. Programmable hardware tokens can be linked with PayPal as MFA applications.
- SMS. When you choose SMS authentication, you’ll need to provide a real phone number. You’ll instantly receive a message containing a PayPal security code to confirm the number is correct. We don’t recommend using SMS if you’re able to set up a 2FA app instead or order a hardware token for use with PayPal.
- 2FA app. Choose this option if you want to link an in-app PayPal authenticator, or the Protectimus Slim NFC – programmable PayPal security key.
- If you haven’t already installed a one-time password generator app, install a free app Protectimus SMART OTP or any other 2-factor authentication app.
- If you want to use a hardware security token, you’ll need to already have one at this point. It must be a programmable TOTP token – Protectimus Slim NFC or a similar one. The process to link a programmable hardware token to PayPal is no different than the process of linking a two-factor authentication app. To set up the token, you’ll need an Android smartphone that supports NFC.
At this point, you’ll see a QR code containing the secret key. Scan this secret key using a two-factor authentication app, or using the Protectimus TOTP Burner app if you’re linking a hardware PayPal security key Protectimus Slim NFC. If you aren’t able to scan the QR code, you can input the secret key manually.
You’ll find detailed instructions for programming the secret key into the Protectimus Slim NFC token here.
To finish setting up PayPal 2-factor authentication, generate a one-time password with your token and enter it in the provided field.
Create a backup token. If you lose access to your current token, you can restore access to PayPal with your backup token. Remember that if you choose SMS authentication for backup, your PayPal account login will be less secure, even if you linked a hardware security key in the previous step. The best option is to use a hardware token as your main means of authentication and a 2FA PayPal app as a backup, or the other way around.
What’s the best option for PayPal two-factor authentication?
To answer this question, we’ve ranked the available PayPal two-factor authentication methods from strongest to weakest. Here are the results:
I place – Hardware security token
II place – 2FA app
III place – SMS authentication
Next, some details about each kind of token for PayPal two-factor auth.
Hardware security tokens
- Hardware tokens are stand-alone, isolated devices.
- A PayPal hardware token Protectimus Slim NFC never connects to the internet, making it invulnerable to viruses.
- One-time passwords are generated on the device itself, not transmitted over GSM channels like SMS messages. This means that one-time passwords cannot be intercepted.
- Even if you lose your security token, nobody who finds it will be able to gain access to your account. First, in addition to the token, a strong password is required. Second, someone who comes across the token will probably be unable to tell who the token belongs to and what service it’s linked to. Besides, you’ll definitely notice if your physical token is missing and change PayPal password immediately.
The main disadvantages of hardware tokens are their cost and the fact that, sooner or later, the token’s battery will die, requiring you to buy a new token.
Two-factor authentication apps attempt to combine the safety of a hardware PayPal security key with the convenience of SMS authentication. Essentially, by connecting Google Authenticator to PayPal, users receive a stand-alone device for generating one-time passwords right on their smartphones.
This method of securing a PayPal account is much better than SMS-based two-factor authentication. However, since smartphones have internet access, if you use a 2FA app to protect your PayPal login, there are some risks to keep in mind:
- If you lose your smartphone, you risk simultaneously losing your password and authentication token.
- Smartphones can also be infected by viruses, which may be able to extract one-time passwords from 2FA apps.
First off, it’s worth noting that SMS authentication is better than nothing. If you aren’t able to set up an app for PayPal 2-step verification or order a hardware token, you should enable SMS-based PayPal 2FA, by all means.
Much has already been written about the disadvantages of SMS-based authentication. The main risks can be divided into three groups:
- the possibility of replacing the user’s SIM card (SIM swap scam);
- the risk of SMS messages being intercepted, if the SMS provider’s infrastructure is compromised or maliciously altered;
- the possibility of SMS messages being intercepted on the end user’s device, by means of a virus.
The hacking of a Reddit employee’s account is one of the most widely discussed cases in which SMS authentication was defeated. The attackers were able to exploit vulnerabilities in the SMS authentication process to compromise the data of thousands of the social network’s users.
However, the disadvantages of SMS-based authentication do not stop at the three points on this list. There can be quite a few problems using SMS-based PayPal verification if the user travels to a different country (and is using roaming), or if the user travels to an area without cellular service.
| Read also: Dutch Scientists: SMS Verification Is Vulnerable
Frequently asked questions
- Navigate to the settings menu.
- Choose the Security tab.
- Find “2-step verification”
- Choose a PyPal 2-factor authentication method: SMS or 2FA application (hardware tokens can be linked to PayPal as if they were 2FA applications).
- Scan the QR code containing the secret key to create a token in your app, or to program your hardware token.
- To finish setting up PayPal two-factor authentication, generate a one-time password with your token and enter it in the provided field.
To avoid problems with accessing your PayPal account in the event that you lose your phone or token, set up a backup token in advance. It’s best to use an app on another phone, or a Protectimus Slim NFC hardware token.
Unfortunately, PayPal stopped selling its own hardware security keys. However, you can link the programmable Protectimus Slim NFC security token to your PayPal account.
Only programmable hardware TOTP tokens, like the Protectimus Slim NFC, can be used for two-factor authentication with PayPal. Programmable hardware tokens can be linked as if they were two-factor authentication apps. To link a security key to PayPal, you’ll need an Android smartphone that supports NFC.
The price of one Protectimus Slim NFC token is US$29.99 plus shipping.
- How does 2-factor authentication work?
- The Evolution of Two-Step Authentication
- Time Drift in TOTP Hardware Tokens Explained and Solved
- What is Online Skimming and How to Avoid It
- The Most Common Ways of Credit Card Fraud
- Top 7 Tips How to Protect Yourself from Phishing Scams
- Social Engineering: What It Is and Why It Works
- Man In The Middle Attack Prevention And Detection
- Two-factor authentication for Windows 7, 8, 10