PayPal Allows Bypassing Two-Factor Auth With a Button Click — Claims “It’s For Your Protection”

Alex Pastel on 2022-10-14

PayPal Allows Bypassing Two-Factor Authentication With a Button Click — Claims “It’s For Your Protection”

UPDATE 11/28: It seems that the PayPal may have addressed the issue. The “Log in with a one-time code” button is gone. Apparently it had already been removed in non-U.S. versions and now it has been removed in the U.S. as well 👏.

I woke up this morning to some unexpected SMS messages:

Looks like I’ve shared my code.

That’s weird. I don’t remember using PayPal in my sleep.

It happens though. Every so often, someone enters your email address into a site and hits the “Forgot password” button. The one-time code gets sent to your email or phone, and it dies there because that hacker (or confused person) doesn’t have access to those other things which I own. It’s unlikely they have my password because it’s a randomly generated sequence of 12 or more characters.

“I’ll just enable two-factor authentication with my authenticator app and then I don’t have to worry about my PayPal ever getting hacked.”

Or so I thought.

As it turns out, even enabling 2FA on PayPal doesn’t prevent someone from logging into your account with just your email address and an SMS code. No password necessary.

That’s right. In their infinite wisdom, PayPal (NASDAQ:PYPL) implemented a super convenient method of logging in that doesn’t require having to remember a pesky password.

It’s called “Log in with a one-time code” and it‘s terrible.

The “Log in with a one-time code” button appears anytime you’ve typed in an email address that’s linked to a PayPal account.

We all hate passwords right? Passwords are easy to guess, hard to remember, and the world would do well to get rid of them in the near future. So PayPal, a banking app, offers a convenient way to access your account without entering your password by getting texted a one-time code.

Alright well, that seems like it would be convenient if you really didn’t feel like digging up your password. Many sites like Slack, Cash App, and even Medium allow logging in with just a one-time code sent to your email. I don’t enjoy my banking apps having that feature though, especially if it’s using SMS which is highly hackable. Let me just go ahead and disable that feature so that I always have to log in with my password and authenticator app code.

Well, you can’t.

That’s right, that little “Log in with a one-time code" button is always there. For everyone. And anyone. Sitting right there underneath the regular “Log In” button at all times (as long as you’re on PayPal.com instead of the PayPal app). Anyone who wants to log into your account without a password can do so, even if you have 2FA enabled.

That last part is important and needs to be restated clearly: The “Log in with a one-time code” button completely bypasses all other security measures you may have in place on your account, including two-factor authentication.

So if you have 2FA set up on your PayPal account with, say, the Google Authenticator app or a USB security key, you may as well not have it set up at all. The “Log in with a one-time code” button (which should just be called the just-f*cking-let-me-in button) takes a completely different path of authentication that circumvents the normal password or password-and-token route of authentication. It’s a totally separate route that just requires a one-time SMS code, which has been proven time and time again to be an insecure and easily hackable method of authentication.

Well what the hell, right? There’s no way a banking giant like PayPal would just have this totally insecure and short-sighted feature without plans to get rid of it or have some excuse for its existence, right?

Wrong. PayPal has very little to say about this feature except that “this feature is permanently enabled for the protection of our customers.”

On the paypal-community.com forums, a user named Only1KW started a thread on November 1, 2021 entitled “How do I disable one-time codes”.

On this forum thread, Only1KW expresses frustration with the one-time passcode feature, asking how to disable it so that a password must always be used to log in. In the replies that follow, different PayPal forum moderators attempt to provide a solution, either offering a solution to a different problem, or offering no solutions at all.

PayPal_Natasha states that one-time SMS passcodes are permanently enabled for the “protection” of customers.

The forum thread continues on for several more pages with users balking at the idea of this feature supposedly being there for the protection of customers, when in fact it achieves the exact opposite. The response shown above by PayPal_Natasha is the last reply from a PayPal moderator on the thread.

While one-time passcodes are common among websites and apps, they are always accompanied by another factor of authentication, if desired. While you can log in to your Slack or Cash App with just an email or SMS code, enabling two-factor authentication on either app means that your second factor of authentication is now required. With PayPal, it’s just a suggestion.

When looking at the “Security” tab in PayPal’s settings, it’s no wonder that users and customer service reps alike are confused about the different security settings.

“Security” tab in PayPal online account settings.

Aside from the typical security settings of changing your password, enabling 2-step verification, and managing the devices you’re logged into, PayPal also has four additional security settings, none of which include enabling/disabling the one-time passcode login. In fact it could be argued that these additional settings only provide more ways for unauthorized access to your PayPal account. Security questions are widely known to be ineffective and easy to guess, and who knows why two different types of PINs would really be necessary.

Enabling 2FA on PayPal doesn’t prevent someone from logging into your account with just your email address and an SMS code.

“My friend literally had her sim hacked and they accessed her PayPal.” says user Mmcgo1. “For that reason I’ve removed my bank accounts from PayPal.”

“If someone steals my phone, they can immediately make a purchase with Paypal without needing to know my password OR be able to get past the log-in screen of my phone, as these one-time text notifications pop up directly on the lock screen. Who is this even benefiting other than potential criminals?” complains user adampcompton. It’s true — most new iPhones and Android phones by default will display the actual contents of your messages on the lock screen. I highly recommend that you disable this feature in your phone’s settings.

PayPal needs to require two-factor authentication on accounts where users have set it up. The option to log in with a one-time code could at least be paired with a second factor of authentication, such as the security questions or PIN code. Allowing login with a single, unsecure factor of authentication when users have set up 2FA on their accounts is irresponsible and dangerous, and is costing people money.

The only recourse in the meantime is to close your PayPal account.