PayPal Two-Factor Authentication with Hardware Security Key

PayPal two-factor authentication became available to users in far 2007. Everybody wishing to protect their PayPal login could order a $5 security token directly from their account.

Unfortunately, later the company discontinued the use of its own hardware tokens in favor of SMS-based authentication, decreasing PayPal security considerably. But the situation with PayPal two-factor authentication is changing once again, for the better now:

  1. Since 2018, you can use MFA applications to log into PayPal (Google Authenticator, Protectimus Smart, etc.)
  2. As MFA apps are available, it’s also possible to use hardware security keys again. There’s just one catch — only programmable tokens will fit for PayPal two-factor authentication.

How do I enable PayPal 2FA?

Step 1

To activate two-factor authentication in PayPal sign in your account and navigate to the settings menu.

How to enable PayPal two-factor authentication - settings

Step 2

Choose the Security tab.

PayPal account settings - security

Step 3

In the “2-step verification” section, click Set Up.

PayPal 2-step verification set up settings

Step 4

At this point, you’ll need to choose one of the available two-factor authentication methods: SMS or MFA application. Programmable hardware tokens can be linked with PayPal as MFA applications.

  • SMS. When you choose SMS authentication, you’ll need to provide a real phone number. You’ll instantly receive a message containing a PayPal security code to confirm the number is correct. We don’t recommend using SMS if you’re able to set up a 2FA app instead or order a hardware token for use with PayPal.
  • 2FA app. Choose this option if you want to link an in-app PayPal authenticator, or the Protectimus Slim NFC – programmable PayPal security key.
Choose PayPal 2FA method - SMS or 2FA app

Step 5

  • If you haven’t already installed a one-time password generator app, install a free app Protectimus SMART OTP or any other 2-factor authentication app.
  • If you want to use a hardware security token, you’ll need to already have one at this point. It must be a programmable TOTP token – Protectimus Slim NFC or a similar one. The process to link a programmable hardware token to PayPal is no different than the process of linking a two-factor authentication app. To set up the token, you’ll need an Android smartphone that supports NFC.

At this point, you’ll see a QR code containing the secret key. Scan this secret key using a two-factor authentication app, or using the Protectimus TOTP Burner app if you’re linking a hardware PayPal security key Protectimus Slim NFC. If you aren’t able to scan the QR code, you can input the secret key manually.

PayPal 2-factor authentication set up - QR code with secret key

You’ll find detailed instructions for programming the secret key into the Protectimus Slim NFC token here.

Step 6

To finish setting up PayPal 2-factor authentication, generate a one-time password with your token and enter it in the provided field.

PayPal two-factor authentication - enter PayPal security code

Step 7

Create a backup token. If you lose access to your current token, you can restore access to PayPal with your backup token. Remember that if you choose SMS authentication for backup, your PayPal account login will be less secure, even if you linked a hardware security key in the previous step. The best option is to use a hardware token as your main means of authentication and a 2FA PayPal app as a backup, or the other way around.

| Read also: How to Backup Google Authenticator or Transfer It to a New Phone

PayPal two-factor authentication setup - set a backup

What’s the best option for PayPal two-factor authentication?

To answer this question, we’ve ranked the available PayPal two-factor authentication methods from strongest to weakest. Here are the results:

I place – Hardware security token

II place – 2FA app

III place – SMS authentication

Next, some details about each kind of token for PayPal two-factor auth.

Hardware security tokens

  • Hardware tokens are stand-alone, isolated devices.
  • A PayPal hardware token Protectimus Slim NFC never connects to the internet, making it invulnerable to viruses.
  • One-time passwords are generated on the device itself, not transmitted over GSM channels like SMS messages. This means that one-time passwords cannot be intercepted.
  • Even if you lose your security token, nobody who finds it will be able to gain access to your account. First, in addition to the token, a strong password is required. Second, someone who comes across the token will probably be unable to tell who the token belongs to and what service it’s linked to. Besides, you’ll definitely notice if your physical token is missing and change PayPal password immediately.
Protectimus Slim NFC - programmable security key for PayPal

The main disadvantages of hardware tokens are their cost and the fact that, sooner or later, the token’s battery will die, requiring you to buy a new token.

| Read also: The Pros and Cons of Different Two-Factor Authentication Types and Methods

2FA app

Two-factor authentication apps attempt to combine the safety of a hardware PayPal security key with the convenience of SMS authentication. Essentially, by connecting Google Authenticator to PayPal, users receive a stand-alone device for generating one-time passwords right on their smartphones.

Paypal two-factor authentication app Protectimus Smart

This method of securing a PayPal account is much better than SMS-based two-factor authentication. However, since smartphones have internet access, if you use a 2FA app to protect your PayPal login, there are some risks to keep in mind:

  1. If you lose your smartphone, you risk simultaneously losing your password and authentication token.
  2. Smartphones can also be infected by viruses, which may be able to extract one-time passwords from 2FA apps.

| Read also: 10 Most Popular Two-Factor Authentication Apps Compared

SMS authentication

First off, it’s worth noting that SMS authentication is better than nothing. If you aren’t able to set up an app for PayPal 2-step verification or order a hardware token, you should enable SMS-based PayPal 2FA, by all means.

PayPal two-step verification with SMS

Much has already been written about the disadvantages of SMS-based authentication. The main risks can be divided into three groups:

  • the possibility of replacing the user’s SIM card (SIM swap scam);
  • the risk of SMS messages being intercepted, if the SMS provider’s infrastructure is compromised or maliciously altered;
  • the possibility of SMS messages being intercepted on the end user’s device, by means of a virus.

The hacking of a Reddit employee’s account is one of the most widely discussed cases in which SMS authentication was defeated. The attackers were able to exploit vulnerabilities in the SMS authentication process to compromise the data of thousands of the social network’s users.

However, the disadvantages of SMS-based authentication do not stop at the three points on this list. There can be quite a few problems using SMS-based PayPal verification if the user travels to a different country (and is using roaming), or if the user travels to an area without cellular service.

| Read also: Dutch Scientists: SMS Verification Is Vulnerable

Frequently asked questions

How do I enable two-factor authentication on PayPal?

  1. Navigate to the settings menu.
  2. Choose the Security tab.
  3. Find “2-step verification”
  4. Choose a PyPal 2-factor authentication method: SMS or 2FA application (hardware tokens can be linked to PayPal as if they were 2FA applications).
  5. Scan the QR code containing the secret key to create a token in your app, or to program your hardware token.
  6. To finish setting up PayPal two-factor authentication, generate a one-time password with your token and enter it in the provided field.
How do I get access to my PayPal account if I lost my phone number or token?

To avoid problems with accessing your PayPal account in the event that you lose your phone or token, set up a backup token in advance. It’s best to use an app on another phone, or a Protectimus Slim NFC hardware token.

Can I replace my old PayPal security key with a new one?

Unfortunately, PayPal stopped selling its own hardware security keys. However, you can link the programmable Protectimus Slim NFC security token to your PayPal account.

How do I connect a hardware security key to PayPal?

Only programmable hardware TOTP tokens, like the Protectimus Slim NFC, can be used for two-factor authentication with PayPal. Programmable hardware tokens can be linked as if they were two-factor authentication apps. To link a security key to PayPal, you’ll need an Android smartphone that supports NFC.

How much does a PayPal security key cost?

The price of one Protectimus Slim NFC token is US$29.99 plus shipping.

Read also:

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from our team.

You have Successfully Subscribed!

Author: Anna

If you have any questions about two-factor authentication and Protectimus products, ask Anna, and you will get an expert answer. She knows everything about one-time passwords, OTP tokens, 2FA applications, OATH algorithms, how two-factor authentication works, and what it protects against. Anna will explain the difference between TOTP, HOTP, and OCRA, help you choose a token for Azure MFA, and tell you how to set up two-factor authentication for Windows or Active Directory. Over the years with Protectimus, Anna has become an expert in cybersecurity and knows all about the Protectimus 2FA solution, so she will advise on any issue. Please, ask your questions in the comments.

Share This Post On

2 Comments

  1. I have one of your old PayPal security keys which finally stopped working today. Does it have a battery that can be replaced? If not do you or PayPal have a replacement?

    Post a Reply
    • Hi Harry. Unfortunately, you can’t replace the battery in your old OTP token.

      But you can use one of our programmable OTP tokens (Protectimus Flex or Protectimus Slim NFC) with PayPal. You can connect such a token instead of a 2FA app. But note that you’ll need an Android smartphone with NFC support to program the token.

      The tokens work in the same way and differ only by their form factor.

      You can find more info about these tokens here:
      Protectimus Flex – https://www.protectimus.com/flex/.
      Protectimus Slim NFC – https://www.protectimus.com/slim-mini/index.php.

      Post a Reply

Submit a Comment

Your email address will not be published. Required fields are marked *

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from Protectimus blog.

You have successfully subscribed!

Share This