PayPal does support VIP hardware tokens!
Posted: Tue 05 Jun 2018, 18:26
Some time ago I bought a box of hardware tokens labeled PayPal and VIP.
I figured this would enable me to add a one-time code from a physically separate device to my PayPal login, making it much harder to hack.
My next problem was that PayPal did not want to admit they still supported this, though I could see videos about people using them. There simply was no way to navigate my account pages using buttons to reach the page needed to activate 2FA with a hardware token. They mainly depended on text SMS messages, which present another problem due to vulnerabilities in SS7.
Here's the answer, though, as you might expect, the exact web pages have changed.
The trick is to enter the exact URL while logged into your PayPal account.I haven't found any way to navigate to that page without typing the URL.
For most people the free VIP app on a smart phone will be easier, and that should be more secure than simply sending an SMS text message over SS7. The problem is that programmable devices like phones can be hacked. Hardware tokens designed to resist tampering can't as easily be hacked. With a physically separate hardware token neither your mobile phone nor your computer ever has the seed that generates time-dependent one-time passwords.
What ain't in there can't be hacked.
I figured this would enable me to add a one-time code from a physically separate device to my PayPal login, making it much harder to hack.
My next problem was that PayPal did not want to admit they still supported this, though I could see videos about people using them. There simply was no way to navigate my account pages using buttons to reach the page needed to activate 2FA with a hardware token. They mainly depended on text SMS messages, which present another problem due to vulnerabilities in SS7.
Here's the answer, though, as you might expect, the exact web pages have changed.
The trick is to enter the exact URL while logged into your PayPal account.
Code: Select all
https://www.paypal.com/us/cgi-bin/webscr?cmd=_setup-security-keyFor most people the free VIP app on a smart phone will be easier, and that should be more secure than simply sending an SMS text message over SS7. The problem is that programmable devices like phones can be hacked. Hardware tokens designed to resist tampering can't as easily be hacked. With a physically separate hardware token neither your mobile phone nor your computer ever has the seed that generates time-dependent one-time passwords.
What ain't in there can't be hacked.