As a major a payment system, PayPal is heavily targeted by criminals using phishing attacks (bogus sites that look like the real thing but aren’t), usually using 'password reset' emails. Protecting accounts using two-factor authentication (2FA) is therefore essential despite the fact that few users seem to be aware the service offers this form of security.

Unfortunately, although PayPal implements 2FA it can be confusing and, in our view, potentially insecure. It is still worth using against relying solely on the traditional email address and password login.


2FA is enabled on PayPal by clicking on the gear wheel icon in the top right of the account overview and clicking on the security tab. This offers five options – the one needed is confusingly labelled ‘Security Key’. Users then register their mobile phone number after which they are sent a 6-digit one-time PIN (OTP) number via SMS every time they either log into PayPal or debit money from their account to pay for something. This means that even if a criminal has the user's user name and password they can’t access the account without also receiving the one-time PIN sent to the registered mobile phone number.

What happens if users mislay their mobile phone to receive the OTP PIN? Even with the phone, moble services aren't reliable from every location. Remember without the phone it shouldn’t be possible to log into the account until the account SIM/number has been reinstated on a new phone or SMS access returns. But in turns out there is a way around this by answering two old-fashioned security questions such as the name of a childhood best friend or a pet as long as these were set up in the security settings during a previous visit.

An alternative and more sopisticated for of 2FA is to buy and enable a what PayPal calls a Security Key Card, which we understand to be the proprietary VeriSign Identity Protection (VIP) card which generates OTPs at the user’s end. It can also be embedded on the excellent Yubikey token we covered earlier in 2015. We’d tell you more about this card but unhelpfully the link on the PayPal returns a ‘page no longer exists’ message and clear information about setting it up in the UK is scant. We will amend this feature if we get a response from PayPal but it’s possible it’s not been rolled out to all countries yet. 

PayPal’s basic authentication should be better than this. Security questions are a major weakness because they can often either be guessed or winkled out of the user using social engineering. It's true that authentication is always going to be a trade-off between hassle and security but in our view Google’s 2-Step Verification system uses a better backup procedure in which the user sets a secondary phone number, either mobile or mainline number. Google also allows users to print out a set of unique one-off backup codes that can be used in an emergency and offers the Authenticator app for mobile use.

As for hardware tokens such as the U2F-compliant Yubikey token, the search giant makes it much easier to set up this kind of service than PayPal.