For the ninth day of the 12 Days of 2FA, we’ll look at how to enable two-factor authentication on PayPal. No matter where on the web you are doing your last-minute online holiday shopping, you are likely to run into the option to pay with PayPal.
PayPal calls 2FA and the associated verification codes “Security Keys.” This can be confusing if you think of security keys as hardware 2FA devices like YubiKeys. Regardless of the naming, the idea and execution are the same as other services we have looked at: if signing in requires something you have (like your phone) as well as something you know (your password), then your account has an added layer of protection.
PayPal offers 2FA via text messages or via Symantec’s VIP (Validation & ID Protection) authenticator app. Authenticator apps are more secure and avoid a lot of the downfalls of SMS. However, SMS is more practical if you do not use a smartphone. Consider your threat model and choose the best mode for you. (If you use the PayPal mobile app, note that PayPal mobile is only compatible with text messages.)
There are a few ways to get to your 2FA settings on PayPal. Since they can be hard to find, we start you off with a link directly to your settings page. The steps below will take you to options for the Symantec VIP authenticator app as well as text messages.
Sign into PayPal, and then click this link to get to the 2FA set-up page.
If you already have the Symantec VIP authenticator app, or if you want to install it first, select the option on the right to “Activate your Security Key.” Follow the steps to enter your serial number and verification code from the app.
If you want to use text messages for 2FA, select the option on the left to “Register your mobile phone.”
Enter and confirm your phone number at which you can receive texts. After reviewing the terms and conditions, click “Agree and Register.”
Shortly after you click, you’ll receive a text message with your verification code. Enter it and click “Activate.”
This will take you back to your 2FA settings page, where you can add up to three phone numbers, as well as report phone numbers that get compromised or lost.
Stay tuned for more posts on two-factor authentication during the 12 Days of 2FA.