As you hopefully know, PayPal supports two-factor authentication (2FA), and hopefully you have enabled that on your account(s). 2FA means that even if your email address and password are somehow compromised, a hacker won’t be able to log into your account without a second form of authentication, typically either an authenticator app, security key, biometric sensor, or via SMS message. However, SMS-based authentication is probably the least secure, as there have been a number of exploits allowing hackers to intercept messages intended for the victim’s phone number.
Until recently, PayPal really only offered one form of 2FA, which they call “2-step verification”: SMS. In the past, you could purchase a physical PayPal security key, which would generate one-time codes, similar to a Yubikey device. That doesn’t seem to be an option any longer. For new users and accounts, the only option found buried in their account settings was SMS/mobile phone “security key.” It was better than nothing…
Some savvy users managed to find a work-around to roll their own authenticator app support, by reverse-engineering PayPal’s system and creating scripts. But besides the user-unfriendliness of such an approach, there were other concerns, such as what happens if PayPal changes their system, would you be locked out of your account? How long is the key valid?
Well, those concerns are no more, as PayPal has finally, quietly (re)introduced authenticator app support to user accounts. It’s not necessarily obvious how to enable this, especially if you already had SMS-based 2FA enabled. Consider how important financial account security is, one would expect maybe a little more guidance here. Google, Facebook, Amazon — all the major tech companies already support authenticator apps and various other 2FA methods.
After logging into your account, you will see something like this:
By selecting the gear icon in the top right corner, you will open your account settings. Now you will select the security tab:
PayPal decides to call this “2-step verification”. If you haven’t enabled it before, then you have to enable it. Otherwise, it will say “Update”:
If you’re updating, you will see your previous SMS-based verification method listed as the primary device with the associated phone number. Nowhere is there any obvious mention of authenticator apps. You have to select “Add a device” under “Your backups”:
Finally, after all these steps, PayPal tells us that, yes, authenticator apps are supported:
If we select the authenticator app option, and choose “Next”, we get the standard QR-code scanning screen. Now if you have an authenticator app on your smartphone, you can simply scan the QR code shown on your screen, or you can enter the key manually if you don’t trust your phone’s camera, or have some other authenticator app like a Yubikey.
NOTE: At this point, it is also very useful to make a copy of the QR code or secret key for backup purposes. This allows you to set up another authenticator app in the future, or recover in case of losing/erasing your device. PayPal doesn’t provide recovery codes, unlike other services, so the responsibility to backup is yours alone. Alternatively, you could use an authenticator app with a built-in backup option (e.g. Authy). Always a good idea to test your backup/recovery strategy before you are forced to rely upon it.
To verify that all is working correctly, you will enter the 6-digit code shown in your authenticator app, and choose “Confirm”:
That’s it! Now that you have added the authenticator app as your “backup” 2-step verification device, you can make it the primary device, and delete the old SMS/mobile device.