Authenticator App Support in PayPal (Finally)

As you hopefully know, PayPal supports two-factor authentication (2FA), and hopefully you have enabled that on your account(s). 2FA means that even if your email address and password are somehow compromised, a hacker won’t be able to log into your account without a second form of authentication, typically either an authenticator app, security key, biometric sensor, or via SMS message. However, SMS-based authentication is probably the least secure, as there have been a number of exploits allowing hackers to intercept messages intended for the victim’s phone number.

Until recently, PayPal really only offered one form of 2FA, which they call “2-step verification”: SMS. In the past, you could purchase a physical PayPal security key, which would generate one-time codes, similar to a Yubikey device. That doesn’t seem to be an option any longer. For new users and accounts, the only option found buried in their account settings was SMS/mobile phone “security key.” It was better than nothing…

Some savvy users managed to find a work-around to roll their own authenticator app support, by reverse-engineering PayPal’s system and creating scripts. But besides the user-unfriendliness of such an approach, there were other concerns, such as what happens if PayPal changes their system, would you be locked out of your account? How long is the key valid?

Well, those concerns are no more, as PayPal has finally, quietly (re)introduced authenticator app support to user accounts. It’s not necessarily obvious how to enable this, especially if you already had SMS-based 2FA enabled. Consider how important financial account security is, one would expect maybe a little more guidance here. Google, Facebook, Amazon — all the major tech companies already support authenticator apps and various other 2FA methods.

After logging into your account, you will see something like this:

By selecting the gear icon in the top right corner, you will open your account settings. Now you will select the security tab:

PayPal decides to call this “2-step verification”. If you haven’t enabled it before, then you have to enable it. Otherwise, it will say “Update”:

If you’re updating, you will see your previous SMS-based verification method listed as the primary device with the associated phone number. Nowhere is there any obvious mention of authenticator apps. You have to select “Add a device” under “Your backups”:

Finally, after all these steps, PayPal tells us that, yes, authenticator apps are supported:

If we select the authenticator app option, and choose “Next”, we get the standard QR-code scanning screen. Now if you have an authenticator app on your smartphone, you can simply scan the QR code shown on your screen, or you can enter the key manually if you don’t trust your phone’s camera, or have some other authenticator app like a Yubikey.

NOTE: At this point, it is also very useful to make a copy of the QR code or secret key for backup purposes. This allows you to set up another authenticator app in the future, or recover in case of losing/erasing your device. PayPal doesn’t provide recovery codes, unlike other services, so the responsibility to backup is yours alone. Alternatively, you could use an authenticator app with a built-in backup option (e.g. Authy). Always a good idea to test your backup/recovery strategy before you are forced to rely upon it.

To verify that all is working correctly, you will enter the 6-digit code shown in your authenticator app, and choose “Confirm”:

That’s it! Now that you have added the authenticator app as your “backup” 2-step verification device, you can make it the primary device, and delete the old SMS/mobile device.

Join the Conversation

8 Comments

  1. Great Article, gave me hope but
    unfortunately PayPal let me down !!
    Supports Apple IOS but NOT yet Android

    1. Oh, are you using the PayPal app? I remember reading about issues with 2FA. Let’s hope there’s an update with proper 2FA support! I guess they prioritize easy access to funds, over protecting the cards and accounts underlying them…

  2. Finally, PayPal got 2FA to work on Android & Authy.
    Now I just wish PayPal gets some real competition.

  3. I’m not seeing the same thing on my account. The settings screen looks different, with a nav menu going down the left instead of tabs at the top. Under Login and Security is “Security Keys”, with a link to “Update”. That takes me to a “Manage Security Keys” screen, which lists my Registered Mobile Device Numbers and has links to “Register a new mobile device number” or “Activate a new security key token”. If I click on the link to activate a new security key, it still goes to the page showing the old paypal/Symantec VIP tokens, and asking for a serial number + two of the 6 digit codes.
    My Paypal account is a business account, based in the US, in case either of those matter.
    Looks like I’m stuck still using SMS or a Symantec VIP based credential for now.

    1. I have the same problem, also with a business account. I guess they only support it for personal accounts.

    1. Do you have backups of your authenticating device? You might be able to restore the app and its data from there.

      Otherwise you will have to use your security questions to unlock your account, or possibly contact PayPal support as a last resort. NOTE: I’ve never had to do this, so I can’t say what the exact process is, but I imagine there is some info you can provide to verify your identity.

      NOTE: it’s VERY important to have a backup authentication method, in case you lose the primary. Many sites will provide a set of one-time “recovery codes” you can print during the authenticator setup. Always do that! I also prefer to keep a backup of the QR code (or the manual entry key) somewhere safe. That way I can set up multiple authenticators later, and it doesn’t matter if I lose or erase them by accident.

      With PayPal, your only backup option is either to use an authenticator app with backup support (Google lacks it…), or keep your own copy of the QR code or secret key. I probably should mention this in the post.

      Hope it works out for you, good luck!

Leave a comment

Your email address will not be published. Required fields are marked *