Hacker News new | past | comments | ask | show | jobs | submit login

Those proprietary 2FA devices are just TOTP with a weird provisioning system.

You can use a tool such as https://github.com/dlenski/python-vipaccess to use google authenticator/freeotp etc. to access paypal.

That said... I believe you still need a mobile number enrolled to enable a token.




The direct URL is https://www.paypal.com/us/cgi-bin/webscr?cmd=_setup-security... , it's no longer accessible from their new web interface.


Wow, that actually works. I had to go through many ancient web interfaces, but it works.


Sadly you can easily and trivially bypass the VIP token by providing a credit card number or a few other identifying details. It's worse than the SMS loophole. And another reason why I'm trying to delete my Paypal account. ;-)


Thanks! I didn't realize that was possible either. I just switched my paypal account to use google authenticator instead of sms, which besides being more secure, is much more convenient since I don't get cell reception in most of my apartment and have to put my phone near a window to get the sms.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: