From reading a different article, the terminology seems to be a bone of contention here. This ’2FA' is an email message PayPal send when they detect a new login location. They do not call it 2FA and they do offer actual 2FA that cybernews have not bypassed.
It's very obviously a distinction without a difference though. Like the authors say, this is a amazing opportunity for black-market paypal account buyers. It's the only line of defense that thousands of people have between black hats and their bank account. In any case, I'd definitely call this 2-factor authentication - the only difference is the trigger (every login vs suspicious logins). It just so happens that they have different code for each of those two cases, and these bounty hunters have discovered a bug in one of them.
I don't think I can agree that there's no difference, because if you say to me that you've bypassed PayPal's 2FA I'm going to think that you've bypassed the opt-in one, not the extra security check one. PayPal does not consider these accounts to "have" 2FA.
Overall that may be being too pedantic, and shouldn't give PayPal a pass on the issue. Perhaps even entertaining it is just muddying the waters allowing PayPal to slip away. The extra check is a security check. If cybernews have by bypassed it then they have bypassed a security check. Logically this is therefore a security issue, and if PayPal are saying that it's not a security concern then they're saying that they were just wasting everybody's time with the unnecessary check to begin with. That would clearly be a lie, as the fact that they developed and continued to use the system indicate that they think it provides security.
There's a huge difference between an informational email "somebody just logged into your account, was it you?" and 2FA workflow which does not let you log in without entering proper code. The latter is a security feature, the former is at most auxiliary informational feature.
> I'd definitely call this 2-factor authentication -
You'd be misunderstanding what "authentication" means then. Notification and authentication are different things. Email is notification, not authentication. Confusing it means either not knowing what authentication is, or purposely confusing matters to present issue as something it isn't.
To be clear, the extra check that is bypassed is not merely an informational message, the system sends you a message and you are supposed to have to enter something contained in that message in order to continue from that IP address/computer.
OK if it blocks login then it's at least partial 2FA for those logins. I thought it's only informational judging from the Forbes article but if it's not then it's part of the auth workflow and thus can be regarded as 2FA.
I was about to dismiss the article thanks to lines like this:
> In essence, it would work with phished credentials just as well as with stolen ones
But, sure enough, it's not the opt-in 2FA, triggered on every login, that was bypassed, but the 2FA checks triggered when PayPal detects suspicious activity. As far as I can tell, if you've enabled 2FA yourself, this bypass won't work. Thanks for the link! Going to go make sure I've enabled that...
I went to enable the opt-in 2FA in response to this report. It's pretty rough, IMO. It gives you no way to use scratch codes as a backup. You're stuck with either adding a second TOTP device or allowing SMS as a backup.
Adding a second TOTP device is OK security-wise but adding a second device to my safe and making sure it's still working periodically kind of sucks.
SMS is not OK.
Printed scratch codes would beat the snot out of either.
You can make a backup by saving in some safe place a copy of the QR code and/or the 16 character text code Paypal gives you to set up your TOTP device.
You can then use that later to set up a replacement TOTP device if something happens to your first one.
I usually use "grab" on my Mac to save a copy of the QR code as a PNG, encrypt that, and save it in an offsite location.
Another popular approach is to print the QR code and save the printout in a fireproof sale. If you do that, I recommend printing it before you use it to set up your first device, and then set up the first device from the printed code just to make sure the printed code is fine.
If you save the text code, you can also use that with oathtool from oath-toolkit [1] to generate the TOTP code on the command line if you need to use Paypal before you have your replacement TOTP device.
Note: if you do want to have two TOTP devices set up at the same time, there are two ways to do this with Paypal. One way is just to scan the same code in both devices. You can either set them both up at the same time, or add the second one later using the backup you made of the original code.
The other way is to go to Paypal's security settings and explicitly say you want to add a backup TOTP. It will then give you a QR code to scan. That is not the same code as it gave you for the first device. The codes generated from the second device initialized from that second code will not be the same as the codes from your first device.
I have no idea what the user interface is for logging in when you have two devices generating separate TOTP sequences. Does it expect you to use the first device, and if that fails ask you to try a backup? Or does it just accept codes from either? Or something else?
Offhand, I can't think of any compelling reason to prefer your two devices to have different codes, or for Paypal to need to know that you are using two devices. Just setting them up with the same code and letting them appear to the be the same device as far as Paypal is concerned seems simpler to me.
Capturing the QR code is a good idea. I was reluctant to do that without verifying that there wasn't some time-based element to the QR itself that would make it hard to use when restore time came.
There is genuine disagreement about whether email qualifies as a second factor. As it is often just protected by a username and password the argument is that it's the same "something you know" factor as a password, or just an obfuscation of the same factor.
I will say, that if cybernews have done what they say that they've done, and PayPal are claiming that it's not a concern, then PayPal are clearly in the wrong, and that remains true even if we all agree that this isn't 2FA.
> As it is often just protected by a username and password the argument is that it's the same "something you know" factor as a password, or just an obfuscation of the same factor.
All factors are just varying obfuscations of "something you know" when you get down to it though.
i recently recently logged inco company paypal from out of country and paypal complained it wants to confirm account via email, fine i confirmed. and then it said it also needs to conform the via phone. ie a call.
so it is a form of 2fa.
can i also complain how is 2fa a pain if multiple persons use that account. you cannot enable it if they allow only one user per account. there are workarounds where there are mutiple 2fa methods and i use the app and other person sms.
I haven't looked at PayPal specifically, but if it's a standard authenticator app can you not both set it up via the QR code when you enable it while everybody is present?
However, obviously the real answer is to add multiple users to the same paypal account, which apparently you can do with a PayPal Business account.
