How2factor: enabling 2FA for popular websites

See this companion post and how2factor.info for context.

1. PayPal

Some notes about the 2FA implementation of PayPal (they call it 2-step verification). See also https://authy.com/guides/paypal/

  • PayPal offers both SMS and authenticator codes. Strangely, the default option is SMS, despite the known security issues with SMS
  • you have the option to add more authenticator codes, ideally on different devices. However, it’s enough if you add one and you make sure you back up the seed (in your password manager) so that you can re-add it in your authenticator app if needed
  • setting up SMS as backup second factor will actually make things less secure than having only authentication codes. That’s because during log in, PayPal will offer the option to send an SMS instead of using the authenticator app.
Resist the temptation to add SMS as backup

To be continued…