What the Heck, Paypal?

Anyone who knows me would agree that I’m a stickler about MFA (Multi-Factor Authentication). I enable it religiously on any online account that provides it, I always utilize the most secure option available, and I get incredibly annoyed when only the weakest options are provided; or worse yet, no MFA options at all. In my opinion, MFA based on SMS text messages should be done away with as quickly as possible. It’s widely regarded as the least secure option, and its weaknesses are well documented.

That’s why I was utterly aghast yesterday morning when I logged into my PayPal account on a new device and was greeted with this:

So let me get this straight: After I went to the trouble of setting up an authenticator app to secure my PayPal account, specifically choosing it over SMS verification, PayPal has unilaterally decided that both this AND my password can be bypassed via a text message? I’ve been hoping for years now that PayPal would finally provide the option to use a U2F token for greater security on what I consider to be a very critical online account; being that it is finance related. Instead they have committed three heresies against effective online security all at once:

  1. They have enabled the weakest MFA option after I specifically configured a more secure one.
  2. They have designed this to bypass even entering a password, effectively disabling MFA. The point is to have multiple authentication factors. Allowing access via a single authentication method changes this from MFA to SFA (Single Factor Authentication).
  3. They have enabled this MFA bypass “feature” without my knowledge or permission, and applied it by default to show up at every login, with no option for disabling it. Providing this option to those who favor their petty convenience over security would be one thing, but to force it upon all users, including those who specifically chose a more secure MFA method, is ludicrous.

I will most certainly be keeping my options open for PayPal alternatives.