I use two factor authentication (2FA) on a number of platforms, including PayPal. I recently got locked out of PayPal when their 2FA SMS messages stopped arriving at my phone. Thankfully, I found an alternative in the form of the Symantec Validation and ID Protection Service (VIP), an app that generates tokens on the fly on mobile devices and the desktop, and is compatible with PayPal.
Illusion of security
Two Factor Authentication is no guarantee of security, of course. I have been using SMS 2FA, and text messages must pass through a vast, insecure network to get to my phone. Who says they can’t be intercepted? As well, any security system these days is dependent on the fact that my password is actually stored on the server where I’m trying to log in, which means the security of my info is only as strong as the encryption techniques used by the service I’m using. Think Adobe. Combine the insecurity of SMS with potential hacks, and the whole thing seems a bit of a mirage. But, it’s all we’ve got right now. And adding the layer of 2FA on top of a properly encrypted and properly complex password makes me feel a little less naked.
Locked out of PayPal
I would still be using SMS 2FA if I hadn’t been locked out of my PayPal account, a combination of poor SMS service and my own forgetfulness. PayPal’s SMS 2FA tokens were not arriving at my phone. PayPal offers a way to bypass 2FA temporarily by answering a series of security questions, but one of my own practices made that impossible.
I always provide nonsense answers to these security questions, and store the answers in my password manager. This prevents an attacker from digging into my past and guessing answers to those idiotically simple questions like “What was your mother’s maiden name?” In this case, however, I’d obviously changed one of my answers and forgotten to update it in LastPass. So I was effectively locked out of PayPal.
Thankfully, I located my misplaced answer, and managed to log in and deactivate SMS 2FA. But what now? Although 2FA is not perfect, it’s an extra layer of security that makes it more difficult for attackers to gain entry. I needed something.
Alternative to SMS 2FA
Enter Symantec, and their VIP app. It’s essentially a digital version of the Security Keys that PayPal used to distribute, similar to the Google Authenticator app. It provides a unique, temporary (good for 30 seconds) 6-digit key that can serve as a 2FA token. Each installed app has a unique serial number that must be registered with PayPal. So far, it has worked beautifully. And no waiting around for SMS messages!
It would be nice if one of these apps could be used for all the services for which I have 2FA enabled, but that’s just a pipe dream right now. Google Authenticator, for example, won’t work with PayPal. Ah, well. The time will come, I guess. For now, I’ll continue to use SMS if there is no other option, and will use whatever key app is required for various services.
If you’re having trouble with PayPal SMS for 2FA, Symantec’s VIP may be the answer.