If You Turn off SMS 2FA in PayPal, It Won't Come up as an Option Anymore after

MeesusEff on 16/10/2023 - 18:52
Last edited 16/10/2023 - 18:56

The warning I wish I had (and at least 1 other person ha), sorry my title could be better but I'm a little loopy out of the hospital.

As I'm sure many of you here have 2FA set for Paypal, my choice of authenticating was via SMS OTP, if I was buying on the phone I could literally just press one button to copy and paste, boom done.

As I was placing a lot of orders consecutively one day for a particular pizza chain, I turned off 2FA's just so that I didnt need to authenticate every login. When I went to turn it back on, there was no option to set a SMS 2FA, only Authenticator. Thought it might have just been a 24hour timed thing as I just turned it off but no, a week later still Authenticator only! or some weird key.

Now I mostly make my purchases directly from my Cashback App's in-app browser, I always just complete it right away without minimising the tab since I get mf enraged when they accuse me of 'clicking away, minimising my tabs etc' when I know I didnt. Yet, with Authenticator, I would have to back out, find the App, click the code etc, so much extra steps compared to the good ol' days of clicking 'copy XXXXX' and pasting it in 2 seconds.

Reached out to Paypal to see if it's something they can reapply to my account, and they said no. Once SMS 2FA is turned off, it will no longer be an option further onwards. if they had put that out as a warning before, I would have never turned it off, so I'm annoyed to h3ll. I can still get SMS 2FA by clicking the 'dont have the app' something like that and 3 clicks later will send me a text but hey, now you know!

Paypal's response to my request :

Text message or SMS confirmation for 2FA is already removed and not available for 2FA option. 2FA can only be activated through authenticator app.

You can refer to the Help page of your website regarding 2FA, or simply click this link: https://www.paypal.com/au/cshelp/article/what-is-2-step-veri… for your reference. The article indicates that accounts that has 2FA via text activated will continue to have this feature, but the user cannot re-enable this feature again once turned-off and really need to use the authenticator for 2FA.

Financial

Related Stores

PayPal
PayPal
Marketplace

Comments

  • scrimshaw on 16/10/2023 - 19:17
    +3

    SMS 2FA is not secure anyway, it's considered the weakest in the security hierarchy of 2FA methods. Lots of companies are dropping SMS 2FA. https://twitter.com/troyhunt/status/1627068015958454276?lang…

    Text message or SMS confirmation for 2FA is already removed and not available for 2FA option. 2FA can only be activated through authenticator app.

    TBF Authenticator isn't bullet proof either (you can be tricked via phishing or social engineering), but at least it can't be defeated via SIM swapping or number jacking attacks.

    The most secure method is to have a hardware key, Paypal gave me a freebie years ago after I made a customer complaint, but once the battery ran out, they no longer issued replacements and told me to use another method.

    • KangaDrew on 16/10/2023 - 19:29
      +1

      Have a look into YubiKey. IIRC this works with PayPal, but only for Android users. iOS users need to use the app. I could be wrong though, as I read about this sometime earlier this year and things may have changed, but it may be suitable for you.

    • MeesusEff on 16/10/2023 - 20:41

      Haha yeah but it was the most convenient for me as I didn't need to leave the app I'm in. How does the hardware key work? Thought its like a usb but didn't know how I would use it with a phone

      • scrimshaw on 16/10/2023 - 20:49

        Symantec VIP Security Card. Its an old-school OTP generator with a button and a small LCD display that displays a 6 digit code whenever you press it.

  • KangaDrew on 16/10/2023 - 19:18

    Many companies are moving away from 2FA via text due to increased costs, smishing, SIM swap fraud and a lower level of security than via an app (which has biometirics or a passcode to get access to the app). While I much prefer the convenience of text, I was tempted to try the app with PayPal vs SMS codes. So I thank you for the warning! As would've likely been in the same boat of wanting to go back to SMS.

    The fact that they aren't even warning you that once you take it off, you're done for good is a very poor customer experience IMO. Security is a huge thing these days, especially in the payments space. Allowing the customer to remove a security layer, but not actually advising them that once they do so, they won't have it again and will need to set up the app instead is not cool at all. I would've expected that they make it mandatory to set up the app first so you can then use that to provide the 2FA code, in order to remove the text based 2FA option. But to just let you remove it and without a warning is pretty sh1t.

    • MeesusEff on 16/10/2023 - 20:44

      The annoying thing is that I set up PayPal Biometrics and it never works! Then I have to use authenticator anyway.

      I was actually quite surprised recently when I ported over to Lebara but I needed to text them the Otp, but since my previous plan expired I called them instead and during the call they said my number was already ported. I said…. That's not very secure then is it.. And got a nervous laugh in response. Nothing's safe these days, damn scammers!

  • JimmyF on 16/10/2023 - 19:26

    As I was placing a lot of orders consecutively one day for a particular pizza chain, I turned off 2FA's just so that I didnt need to authenticate every login.

    Seems far easier to just enter the 2fa sms than to login to paypal to disable 2fa SMS.

    Text message or SMS confirmation for 2FA is already removed and not available for 2FA option. 2FA can only be activated through authenticator app.

    Well now we all know. Thanks for the heads up!

    • MeesusEff on 16/10/2023 - 19:40

      Logging into PayPal once to disable 2fa, or using 2fa to authenticate 6x lol. Of course now in hindsight it's cost me a lot more time 😢

  • AlienC on 16/10/2023 - 21:10
    +1

    Thanks for the heads up I agree definitely thought about this but for the same reason i decided to just put up with it because honestly losing my authenticator log in details to me was harder.

    • MeesusEff on 16/10/2023 - 21:20

      Saving others from making the same mistake I made makes me feel a bit better haha. A pop-up warning or something would have been nice, damn.

Login or Join to leave a comment
Login Join