1password Paypal 2fa



2FA, the common abbreviation for two-factor authentication is a word often spoken about when one is setting up a website or account where security is vital. With more and more confidential information being uploaded on the net, it makes sense to add additional measures to prevent hackers from gaining access to an account. In terms of PayPal and two-factor authentication, when you create an account you have the option to complete a few steps to add extra layers of security (2FA). In this tutorial, we will look at the simple steps that can be followed to enable two-factor authentication for a PayPal account.

  1. 1password Add 2fa
  2. 1password Paypal 2fa Account
  3. 2fa Password
  4. 1password Paypal 2fa Free
  5. 1password Paypal 2fa Code

What is 2FA?

Have been looking at two factor authentication (2FA) for ebay. Already have two factor authentication activated on paypal. But noticed in paypal it says you can also activate it on ebay. When click link that sends you to ebay to activate, it first asks you to input the serial number on a device. Grid Multifactor Authentication is an option for those who do not want to utilize mobile devices. With Grid, you can print a sheet that is used to look up specific matching values when logging in to LastPass, and provide a code derived from your Grid to log in and access your account when prompted by LastPass.

Two Factor Authentication (2FA) in simpler terms is adding an additional layer of security to a login to prevent hackers from gaining access to sensitive information. Think of 2FA as adding a virtual security door to your platform (website, bank account, member login). 2FA is often an option that can be enabled on a website where you are storing sensitive information. For example, many banks offer 2FA to their customers for their online portals. PayPal, a global name in online payments allows their customers to enable the 2FA feature of their account to add an additional layer of security.

2FA comes in many different forms with it often involving the use of a secondary device such as a mobile phone where a code can be sent to the ‘real’ account holder. The account holder can then enter this code after their correct login details to gain access. It often makes sense to use a mobile phone or email account as the second authentication step as only the account holder should have access to these.

Two-factor authentication requires you to provide two pieces of information to prove you are the ‘real’ owner of the account. There are three types of authentication including something you know, something you have and something you are. When speaking about online 2FA, generally something you know (login name and password) along with something you have (such as a code sent to a mobile phone number) are used.


To read up on more information about two-factor authentication please see our related article here.

Why Should I Enable 2FA for PayPal?

We will get to the ‘How to Enable 2FA for PayPal‘ in just the next section but before that, it is important to understand ‘Why’ 2FA may be important for your PayPal account. Accounts, where you store sensitive information such as your personal address and bank details, should have multiple layers of security. 2FA allows you to achieve a multi-layer security system that should stop any potential hackers in their attempt to gain access. Without the device or details to a secondary account, hackers will not be able to proceed to log in, and therefore cannot acquire your sensitive information. Within your PayPal account, you may have added your bank cards and your current address, date of birth, or even your occupation. These are sensitive pieces of information. These sensitive pieces of information hackers can use to siphon money from your bank account. Not only will 2FA prevent potential hacks into your account, but it will also act as an alert if there has been an attempt as you will receive a ‘code’ to your mobile or application each time a login is attempted. This gives account owners the opportunity to change their passwords to something of greater strength to safe guard the account.

While no amount of authentication steps can ensure 100% security of your account, a hacker is far less likely to try and crack the code on an account where 2FA is enabled compared to a single login account. If you are a merchant it is extra important to enable 2FA to ensure your company is protected from hackers trying to gain access to transaction details and more importantly funds that you may have stored in your account.

Is 2FA a Hassle When Logging in to PayPal?

When you enable 2FA for your PayPal account, it will mean you will need to enter an additional piece of information prior to logging in. While this may take you a moment longer, the benefits definitely outweigh the hassle. In fact, many systems such as internet banking are making 2FA logins mandatory.

If you have opted for the secondary authentication code to be sent to your mobile via SMS, you will need to make sure you have mobile phone service at the time of the login. If you have chosen to be sent the code via an application, you will need to have internet access which you would already be hooked up to for access to the PayPal account.

Enabling Two-Factor Authentication (2FA) for my PayPal Account

When you set up a PayPal account, 2FA is not automatically enabled. In this section, we will take a look at the simple steps in ensuring your PayPal account is protected by two layers of security when logging in.

PayPal offers two different ways of providing users with the second authentication code. You can choose to set it up so the code is sent to you via text message or via an authentication app. Some vouch using an application provides hackers with less ability to intercept the text message to receive the code while others believe being sent the code straight to their mobile in messages is simpler and easier to then input into the required PayPal authentication field. Whichever of the two methods you choose, both will add a second layer of security to your PayPal account.

Before you proceed to follow the steps below you will need to consider which way you wish to receive the 2FA code each time you login in to your PayPal account:

  • Via Text Message (SMS)

or

  • Via a Smartphone Application

Enabling 2FA for PayPal

  1. First things, first. You will need to start by logging into your PayPal account. If you are yet to create an account, doing so is simple and free. We have some PayPal related videos here that will get you started.
  2. Once you are in your PayPal account, click on the ‘Cog’ Settings icon. Then you will need to click on ‘Your Profile‘. This will take you to the profile settings page.
  3. Click the ‘Update‘ button within the 2-step Verification section.
  4. You will now see a number of options to choose from to better secure your PayPal account. You can choose between ‘Text me a code‘, ‘Use an authenticator app‘ or ‘Use a security key‘.
  5. Once you have selected the way you would like to receive the code for the two-factor authentication, click ‘Set It Up‘.
  6. If you are choosing to set it up so that you receive the code via SMS, you will need to add the appropriate phone number or follow the simple on-screen steps to link up an authenticator application.
  7. Click ‘Next‘ and confirm you are the ‘real’ owner of the secondary authentication by providing the code sent to you by PayPal.
  8. You can add back up devices at this stage if you wish to. Click ‘Done‘ to complete the setup. You can revisit the settings at any time to alter the changes you have made.

Logging Into PayPal with 2FA

If you have enabled two-factor authentication for your PayPal account (instructions on how to do so found in the above section), each time you log in, you will need to enter your normal credentials (username and password) along with a code sent to your mobile as an SMS or sent to your authentication application. It is important that once you receive the code you enter it promptly as it will only last ten minutes.

If you have opted to authenticate your login via text message the flow of events will look like the following:

  1. Sign in to your PayPal account using your email address and password.
  2. Press continue to be text messaged the unique code.
  3. Open the text message you receive and enter the code into the appropriate field.
  4. Click ‘Continue‘ if you were able to enter the code, or click the ‘resend‘ button if you are yet to receive the code.
  5. If you have entered the code correctly, you will be logged into your PayPal dashboard. You will be able to go about your business as normal.
Get

Related Posts


Security researchers in the USA have just disclosed a flaw in PayPal’s two-factor authentication (2FA) system.

As you probably know by now, 2FA is a way of boosting login security so that just knowing, or guessing, someone’s username and password is not enough.

Most online 2FA systems work by asking for your username and password, which may stay the same for weeks, months or even years, and then asking you for a passcode that changes every time you login.

Your passcode might come from a dedicated security token that displays an unguessable sequence of numbers that changes every minute, or you might receive a text message on your mobile phone with the passcode in it.

Either way, the idea is simple, and powerful:

1password Add 2fa

  • The passcode isn’t sent to you via the same device you usually use to enter your username and password, so even if a crook has infected your computer with malware and can snoop on everything you do, he’s still only half way there.
  • The passcode is only valid once, so even if a crook does manage to intercept it when you finally type it in, it isn’t much use.

That’s why many financial organisations and payment processors, including PayPal, have made 2FA available to their customers.

It isn’t a silver bullet against cybercrime, but it does make things much trickier for the crooks.

Token-based 2FA can’t eliminate cybercrime, but it makes things much tougher for the crooks.

You can read more about the hows and whys in my VB2006 conference paper, which remains relevant despite its age: Can Strong Authentication Sort Out Phishing and Fraud?

(No download registration required.)

The PayPal flaw

Here’s the quick version of what went wrong in PayPal’s system.

Before we start, it’s probably worth pointing out that the researchers who disclosed the flaw work for a company that produces a 2FA product, but not the one that PayPal uses; their product is marketed as a bit of a technology disruptor, boldly claiming to “democratize the use and deployment of strong authentication so that all users can benefit from them, not just the Fortune 500.”

And when PayPal announced that it would be rolling out a complete fix by 28 July 2014 and asked the researchers if they were willing to delay their disclosure for another month, they said, “No.”

But they did wait until PayPal had implemented a mitigation that prevents the flaw from being abused to bypass 2FA.

So, given that the flaw is no longer exploitable, and that there are some important lessons to be learned, here we go.

It all started with a chap called Dan Saltman, who noticed that when he tried to login to his PayPal account from his iPhone, it wouldn’t let him in, because PayPal’s mobile apps don’t yet support 2FA.

He could put in his username and password, but because the iPhone app had no way of dealing with his 2FA passcode, it bailed out at that point.

But Dan also noticed that if he put the iPhone into flight mode somewhere in the middle of trying to login, thus abruptly killing all data flow in and out, he’d sometimes end up logged when he later reactivated his data connection.

You don’t need to be an expert in protocols or cryptography to realise that there is something very wrong with that.

It implies that there is something about the login process that puts the detail of whether to require 2FA or not into the hands of the client.

→ This sort of “client chooses” problem is typically associated with backward compatibility. Many protocols live with the past by getting the server to ask the client to use the latest and greatest level of security if it can, but allowing the server to fall back on a less secure method if the client cannot. An example: many chip-and-PIN payment systems will fall back to using the magstripe on cards that don’t have a chip.

1password Paypal 2fa Account

The researchers wondered, “Was this apparent protocol glitch an obscure piece of blind luck in timing, or could it be exploited systematically?”

Unfortunately for PayPal, the researchers were able to write Python code that reliably automated the 2FA bypass.

Greatly oversimplified, the bypass went something like this:

  1. Start logging in via the general-purpose PayPal login URL, with username and password.
  2. Get back from PayPal a session_token (i.e. authorisation to proceed) plus a notification saying 2fa_enabled=true.

From this, you might reasonably assume that the session_token would be useless, because it wouldn’t work until after the 2FA validation stage.

2fa Password

Indeed, PayPal’s mobile apps simply bail out here, knowing that they can, at least in theory, go no further.

But the researchers did this:

  1. Connect to a PayPal URL specific to mobile devices anyway, presenting the session_token plus a notification saying 2fa_enabled=false.

And in they sailed, logged in with enough authority to make payments!

What went wrong?

What could PayPal have done differently?

2fa

Firstly, the 2fa_enabled=true should be a statement by the server, not merely a suggestion to the client.

In fact, if you tell a client that 2fa_enabled=true and the client later tries to claim that 2fa_enabled=false, you should treat that as a protocol fault (or a hacking attempt) and invalidate the login automatically.

Secondly, since the server knows that 2fa_enabled=true and thus that authentication is not yet complete, it shouldn’t hand out a session_token until after 2FA validation has succeeded.

It doesn’t make technical or intellectual sense to tell someone that 2FA verification is still needed yet hand them an authentication token at the same time.

That’s a bit like answering a knock at your front door with a, “Who’s there?” and then throwing the door open anyway so you can hear the reply.

Thirdly, because PayPal knows that its mobile apps don’t support 2FA, the URLs specific to processing payments from mobile devices shouldn’t work for accounts where 2fa_enabled=true.

That’s like answering a knock at your front door with a, “Who’s there?”, getting the reply, “Someone who isn’t allowed into your house,” and then throwing open the door anyway.

What next?

It’s important to notice that this flaw applies to your account even if you don’t use PayPal’s mobile app yourself.

A crook who has your username and password, stolen by a keylogger on your laptop, for example, could have used PayPal’s mobile payment system to login and make payments without needing to know your 2FA passcode.

That cancels out the benefits of 2FA that we listed at the start of the article.

The good news is that although PayPal hasn’t yet put in place a complete fix for this flaw (e.g. by making all of the changes above), the researchers report that PayPal has implemented change (2).

Crooks who try to bypass your 2FA by abusing this flaw will no longer be able to get hold of the session_token they need to trick the mobile payment URL into thinking they have logged in properly.

1password Paypal 2fa Free

In short, if you are using PayPal 2FA, you may as well continue doing so, because it provides no less security than it did before this disclosure; in fact, it is now more secure than it was.

Also, of course, remember that you shouldn’t be letting crooks get hold of your username and password anyway.

Don’t let your guard down just because you have enabled 2FA: it’s part of defence in depth, not defence instead!

For further information

1password Paypal 2fa Code

If you’d like to know more about 2FA, you might like to listen to our Techknow podcast:


(Audio player above not working? Download the MP3, or listen on Soundcloud.)