PayPal adds authenticator app as 2-step verification option
PayPal; love it, or hate it. I had my troubles with the service in the past but have to acknowledge that it is one of the most popular online payment options thanks to its wide distribution.
PayPal customers who want to add that extra bit of security to their accounts can enable 2-step verification to protect logins against unauthorized access.
PayPal's been offering options to add a second layer of security to accounts since 2008 when it launched the PayPal Security Key feature. Security Key was a physical device that you could use to create a code that you had to enter to sign-in to PayPal accounts.
Options to sign-in using an app were introduced in 2014 with Symantec's VIP Access app that supported PayPal and other sites. Basically, what it did was generate a code that you had to enter.
The only other option that PayPal customers had up until now was to use SMS instead. PayPal would sent a code using SMS and that code had to be entered in a secondary step on the PayPal site to sign-in.
SMS has a few drawbacks: it is not particularly secure, you need a mobile connection, and it happens that messages take their time or vanish in Nirvana at times. Authenticator apps run locally on the device which means that code generation is instant and does not require a mobile connection or Internet connection.
You can still use SMS as a backup option on PayPal.
PayPal authenticator app support
Authenticator applications are apps that run on a mobile device. These applications need to be linked to accounts during setup but work locally from that moment on.
PayPal does not list all supported authenticator applications that the service supports, and the recommendation that it makes to find an authenticator app is quite problematic.
PayPal states:
To download an app, go to your phone's app store, search for "authenticator app" , and download one such as Google Authenticator or Microsoft Authenticator.
The suggestion to search for an application is vague, and it is quite possible that users may encounter less than stellar apps when they run searches. We do know that Google's and Microsoft's solution work but that is about it (Authy works as well).
Setup
Here is how you use an authenticator application to protect PayPal better or switch from SMS:
- Sign in to your PayPal account. If you run into issues here, try our PayPal login guide to sort things out.
- Select the settings icon in the top right corner on the PayPal website.
- Go to Security > 2-step verification.
- Turn 2-step login on if it is set to off.
- When adding a device, select "Use an authenticator app".
- PayPal displays a QR code on the next page. You need to open the authenticator app that you use on your mobile device and use it to scan the QR code. If you cannot scan the code, type the 16 character code that is displayed underneath it instead.
- The authenticator app should pick up the company and your PayPal email address automatically.
- Type the six digit authentication code in the field on the PayPal website to verify the link between the authenticator app and your PAyPal account.
- You can set the authenticator app as the primary 2-step login method; this makes SMS the backup method.
- Select Done to complete the process.
Closing Words
Some users prefer SMS, others authenticator apps and PayPal supports both now. If you have not already, I suggest you enable 2-step login on PayPal to better secure the account.
Now You: Do you use PayPal or other payment services regularly or occasionally?
“Do you use PayPal or other payment services regularly or occasionally?”
I use PayPal regularly. I wish I had another realistic option, as I’m no great fan of PayPal, but it’s the most commonly accepted payment scheme that allows me to avoid giving out my CC number.
wow finally….took them only a Eternity. Maybe we see +16 character long passwords before 2030 who knows -.-
The sad part with paypal and many others is that they still retain fallback to sms or mail which is anything but secure (mail is beter than sms).
What is the point of good locked front door if next to it is a sign “if you forgot your key the backdoor is open”.
THIS!
It’s alarming to be presented with a number of menu choices for logging in. Sometimes I wonder why I even bother fussing with an authenticator app.
It’s becoming an art form, choreographing all of this.
Finally! I can’t believe it took them this long. Of course it’s still a mess, though. The Android PayPal app asks for an authentication code every time I open the app even though I’ve already confirmed my phone and have it setup to use my fingerprint. Ugh.
I was going to open a Paypal account for selling stuff on Ebay. Now I’m getting a little concerned about what may be wrong with Paypal. Is it safe to use like a Credit Card ?
@NowWhat:
I’ve used it as my main online payment method (and to transfer money to individuals) for years and have never had a problem. The problems that I’ve seen with PayPal seems to happen if you’re a vendor, not an ordinary user, but I am not an expert on that.
I’ve used it for years as a vendor and haven’t really had problems either. You do get customers trying it on and sometimes they get away with it but PayPal doesn’t simply side with them. Whatever service you use you’ll have some unhappy people.
I use it if there’s no other way. I don’t keep a card stored there, just enter it each time, skipping PP and going directly to the card, which easily can be done.
But I don’t use PP that much, so all that may be impractical for you.
Many ebay sellers won’t take any other payment method. Never had problems with PP for domestic or international purchases and have had CC’s stored there for years in the past.
Thanks for anwering my question. Glad to hear from people who already had experience with Paypal.
No authentication here for accessing my PayPal account but of course a very strong password and a dedicated, reserved email address.
Speaking of email address and the way transactions are processed from the seller to the buyer via Paypal : I recently purchased a software license and after having provided my name, snail mail address and email, having chosen PatPal, I was surprised to notice that the PayPal login displayed the email address I had given to the software seller, which was not the one I use for PayPal (given as noted above that I have a PayPal only reserved email address). I consider this bothering.
I’d appreciate that credentials given to a seller be clearly apart from those reserved to PayPal. It is unclear to me if a seller is provided by PayPal my name and address when it appears PayPal is provided the email given to the seller. I may wish for instance to address a purchase to someone else than me, as a gift, and have that person be billed a 0.00 amount accordingly, in which case the name & postal address given to the seller wouldn’t match those of my PayPal account. But in this scenario does the seller receive from PayPal my PayPal name and address?
I don’t buy much on the Web but when I do it’ll always be via PayPal because sending my bank account references over the seven seas isn’t a perspective I’m fond of.
Paypal needs to leave legacy 2-factor/MFA behind. They need to embrace biometrics with certified liveness detection – now. These leftovers from the last 10-15 years of nearly no real digital security advancements means that now the attack surface has only increased. It’s no longer such a chore to obtain, one way or the other, someone’s typical credentials. And given Paypal’s transaction limits have been increasing significantly, it’s time for them to get more serious about providing stronger authentication that actually ties an account to the legitimate – and alive – user.
Biometric security is a terrible idea. It’s a key you usually leave everywhere you go, and you can’t change it if it ever gets “stolen”. As for “certified liveness detection”, it’s only a matter of time before someone figures out how to spoof that too.
Non-SMS MFA with an authenticator app and/or USB key are the way to go, for the time being.
@JW: “They need to embrace biometrics with certified liveness detection – now.”
No, they don’t. Biometrics are not an acceptable authentication mechanism. Even doing SMS-based 2FA is more secure.
As someone who always has problems with biometrics (my skin is too dry to trigger fingerprint readers anywhere) I would prefer other methods. I can only imagine the aggravation of trying to use a biometric logon that consistently misreads or is unable to read my biometric ID, and I do not believe that any storage of biometrics is totally safe.
Well this just get’s better. Some people still don’t have smartphones, let alone those mythical feature phones. In Canada, we still require landlines and VOIP for daily lives. Mobile phones can catch malwares and other goodies, if one is not careful. Not many people carry more than one mobile device. Lose it and you’re screwed. Prepaid mobile networks are lousy here in Canada.
It would be nice if Paypal allows security USB keys to log in as two factor authentication or universal second factor. I prefer to keep my eggs in different baskets.
Mobile networks in Canada also seem to cost three times more than anywhere else…
Indeed they are, the reason why fees of mobile networks cost an arm and network. Shareholders and companies gouge customers.
Using apps on a mobile device for authentication is neither secure nor does it improve privacy. But big business and government love tracking and want you to submit — and there are quite a few morons jumping on that train.
I still use and like the security key. I wish eBay had not dropped support for the key.
A major negative with PayPal is that they seem to be giving my PayPal email address to sellers, who then subscribe me to their newsletters or spam emails.
I’ve had the same problem, but as I use a dedicated email exclusively for paypal I don’t worry about the spam mails (which are surprisingly rare, maybe because I use it only on a few sites where I’m a good customer ?)
Yes, I use a custom address for PayPal (and every other forum/app/subscription that I have), which is how I know that the subscription is coming from them.
Sure I can change the address but then I have to jump through the verification’s and changing my records of the current address, which is annoying.
PayPal should not be giving out user email addresses, anymore than they should not give out credit card numbers!
PayPal support two-factor-authentication for years now. Nothing new here except there’s an app now and not just SMS or phone call options.
I’ve been using paypal as a buyer & sometimes for selling things on ebay.
I use a reserved email, with a password that is mind-boggling & impossible to remember
(I have my list of passwords without them being connected to an account : ie NOT Paypal : fgsghsdkuhgsuhghfsjhdsfhsl but just the password which I remember goes with which account.
The 2-step verification via SMS is a good advance in security.
Whilst some people don’t like paypal, I like it as I can transfer money to my bank account & buy things without giving out my credit card number.
This comment thread will end on r/Iamverysmart. Tom is a goldmine for OP posts.
Sadly they have added geographical restrictions so if I have a PayPal USA account to make purchases in USA and have them shipped to my relatives, I cannot sign in. PayPal has stolen my money and frozen my account because I don’t login from the USA. They should allow this now that 2-factor authentication is added.
There exists a workaround at https://medium.com/@dubistkomisch/set-up-2fa-two-factor-authentication-for-paypal-with-google-authenticator-or-other-totp-client-60fee63bfa4f that made PayPal treat regular 2FA apps (like Authy) as if they were an official security key, which was pretty convenient during the years when PayPal did not support other 2FA apps than Symantec’s.
But nevertheless it’s great news that PayPal now has official native support for regular 2FA apps as well, judging by this article.
I’ve been using the Symantec vipaccess workaround for 2FA TOTP for a few years now.
Glad to know that PayPal is finally adding official support for 2FA TOTP now. Better late than never!
I don’t see this option anywhere in my account!
Any idea why?
I discovered the authenticator app option while helping someone set up a consumer account but when I went to my account which is a business account the option wasn’t there. So it looks like it’s not supported for business accounts?? Maybe because they support hardware keys for business accounts?? Disappointing in any case.
Same problem here
same problem. I have a business account – i cannot find the 2FA setting.
Hi,
I had google authenticator for paypal (Private) login. Once I had to reset my phone and uninstall google authenticator. After I reinstall google authenticator, I lost the link between google authenticator and the paypal. I could not login paypal without google authenticator, and backup SMS option is not available. I called paypal customer support, and they are not really supporting., but asking me to contact google. There is a flaw in the system and process. If google authentication fails there must be a fail safe that should work with SMS., but it is not there. So I would recommend to check before you use it or do not uninstall google authenticator from your mobile.
Just had this problem now… on the phone with Paypal support and as you said, it looks like there is a flaw in their process. On call waiting at the moment, hope they will sort it out!
You’re supposed to back up the key for just this scenario. Usually that involves saving the QR code that’s presented when you set it up initially, but you can do that in GA now (Transfer Accounts in the hamburger menu).
If you don’t understand 2FA and the implications (the onus is on you) then you shouldn’t be using it.
Thank you for the concise and useful instructions on setting up PayPal with Authenticator. Configured easily thanks to your instructions!
why if I unfortunately enter verification code from Google authentication and the code is considered wrong by PayPal?
They need to support standard YubiKey’s which are about $15-20 each like Google does.
With the amount of problems theyve had with security I rarely need to use it. I remember how wonderful it was to use the app on WP7 with vipaccess the workaround for ios/droid didnt work on there so I gave up using the app even after mw10 it still didn’t work.
– I had 2FA enabled
– I used Google Authenticator to generate OTP codes, it worked fine.
– I factory reset my phone, I didn’t saved/backed up the Google Authenticator “profile” for Paypal.
– I can’t login anymore, my Paypal password is ok but I’m stuck at “Enter the 6-digit security code from your authenticator app.”
– Paypal customer support sucks. No telephone support is available, I can’t get in touch with anyone there.
– What can I do?
exactly what happened to me….you can just cancel your credit cards and open a new account (that is if you wanna use paypal….they suck with support BIG time!!)
Did anyone notice that if you click “I’m having trouble logging in,” it will just text you a code, completely bypassing the authenticator app? All this time I thought I was extra secure because I used a Security Key dongle. When that finallydied, they immediately let me in by texting me a code. When I changed to using Authy, they are still ready to text me. What’s the point of using a more secure 2FA method if the fallback is SMS?
NEVER use athenticator app….I used it and something is wrong and now I cannot access my account and have noone to speak to as they have automated answer machine on the number they offer as contact. WTF! and when I wrote an email to help center they sent me an email that I should check my paypal inbox….f*king kidding me;(
If someone has not entered a phone number to receive a 2FA-sms then there a always the security questions. They are chosen when setting up the account, they can be changed later, but they cannot be removed. This is to prevent user from actually being in the situation that you thought you were in.
dear Martin, I hope you can help me out with a PayPal trouble. I have activated 2 steps authentication via SMS. That meant that a 6 digit code was sent to my mobile before logging in. I have recently switched to another mobile phone provider and have choosen to change my phone number. Now I can’t log in to my Paypal account as the system still sends the verification code to my old mobile which does not exist any longer. Their customer service is currently unavailable dut to Covid. This is just unbelievable. What is your advice?
Paypal is asking for a 6 digit code from my authenticator.
What authenticator?
I don’t see a Paypal authenticator.
WTF Authenticator app are they asking for?
Does Paypal make an authenticator?
Am I to use Google’s authenticator or maybe Yubico’s. Maybe Microsofts’ authenticator?
What authenticator ?
Any !
– Authenticator app from Google, Microsoft
– PC program like WinAuth
– One of the many browser extensions
– Password manager with built-in authenticator like KeyPass /KeypassXC
Paypal saves cell phone numbers with the country code of the country where the account was opened. (Globalization?!) I live in a different country now. Paypal accepted the new cell phone number but saved it under the old country code – so I never got the confirmation SMSs.
Then I learnt about authenticators and installed VIP Access instead of confirmation by SMS. It worked 2 or 3 times and now I keep getting the message : “There’s an issue with the code you entered. Let’s try that again. Communication with PPal is intentionally difficult, when they did reply I got smart advice, all of which entailed that I log in – which is just what I cannot do! I once spent 27mins in the que on the helpline, then I had to quit. What else can I do???
This 2FA story is one of the creepiest ways companies like paypal are using to eventually steal your money from you… yeap, STEAL!
Like imagine you lose your 2fa enabled phone, do you really believe you’ll ever get to login to your paypal account again? or that paypall will offer any support AT ALL? they’ll do all in their might to make it impossible for you to do so, as you know it’s literally IMPOSSIBLE to reach paypal support, and they offer no email or ticket support whatsoever.
So bad luck … money gone
So best option for you guys is to just leave this paypal crooks altogether and use trustworthy services instead
what are you talking about, buddy????
There all bullshit since I changed my phone number they tell me I have to open up a new acct bc they won’t unlock my acct bc I dont have the number that I have on the acct even though I can tell them all my information and tell them down to the penny how much I have on that acct they won’t unlock it and they said they can’t send the passcode to my email. There assholes! I will not be opening another acct with them.
That is all good and fine. However it fails on the first step, “sign in to your paypal account”
Paypal wants a code to sign in. In order to tell paypal where to send the code I need to be signed in. Do people who set these things up ever try to use them?