Use an Authenticator App to Login to PayPal

History 🔗︎

PayPal were early adopters of two factor authentication at a time when there was significant distrust in them as an organisation. Depending on what country you were in, you could get one of their own hardware tokens or use a Symantec VIP security token. Neither of these hardware tokens are available any more.

However, they never did adopt what the rest of the world started doing. Using “soft” tokens from a standard authenticator app on smartphones. Examples of these apps are: LastPass Authenticator, Authy, Microsoft Authenticator and Google Authenticator.

Instead, they adopted the use of SMS text messages - which were also adopted by many others due to the fact that most people were, by then, carrying mobile phones of some sort.

The Problem 🔗︎

Unfortunately, over the years since then, the weaknesses of SMS have been discovered. Not only can SMS text messages be intercepted relatively easily (a problem particularly in the USA) but there is now an epidemic of phone account hijacking. Phone account hijacking is where an attacker gets enough information about you that they can pretend to be you and then go on to be able to persuade your mobile phone service provider that you need a replacement SIM card. Once they have a new SIM, they hijack your account and go about changing passwords to key systems such as PayPal, Email, etc. If the second-factor for those systems uses your phone then they hijack those accounts as well.

These are really well-known issues and it is appalling that PayPal haven’t allowed people to use authenticator apps for two-factor authentication as these are a lot more secure. Especially since you can backup the authenticator details and use them on another phone in the case that yours is lost, stolen or broken. That way, you can keep control of your important accounts.

So, when you go onto PayPal and try to activate two-factor authentication, they try to force you to register a phone. Once registered, that phone will receive SMS text messages when you try to log in. You can also have PayPal phone you and you get some backup manual codes that you can type in instead. Using those alternatives isn’t especially obvious.

Please help everyone by complaining to PayPal directly and on social media so that they understand that customers no longer find this behaviour acceptable.

A Solution? 🔗︎

In fact, though, PayPal’s alternative token registration does still exist on their website (at least for now).

It is just *really hard to get to.

It is called Activate your PayPal Security Key.

But how do we get a mobile app that will generate the right codes to go with this page?

Solution 1 - the Symantec VIP app 🔗︎

The old Symantec VIP access tokens are long gone. However, they did replace it with a mobile app.

You can download the app from your phone’s app store. It will show you a “Credential ID” that you will use to plug into the “Serial number” field on the Activate your PayPal Security Key page.

Then you also provide the Security Code from the app that is currently showing, wait for the next code to show and enter that as well.

Great! Pretty simple when you know how!

There is, however, a little problem. There doesn’t appear to be any way to back up that configuration in case your phone is lost, broken or stolen. It would be FAR better if we could use on of the more standard authenticator apps such as those listed above.

Solution 2 - Using a Standard Authenticator App 🔗︎

So, it turns out that we can use a standard authenticator app. But it is certainly pretty painful to do it. The advantage is that some of the better authenticator apps such as LastPass Authenticator and Authy provide the ability to back up your accounts.

Here is a work around that will let you use a standard authenticator app with PayPal. It is involved and clunky but it does - currently at least - work. You will need some minimal knowledge of using a command line.

We will use a set of scripts called python-vipaccess. This will let us pretend to be a Symantec VIP hardware token. There are several versions of this application but only one seems to be maintained, the version by Dan Lenski.

In order to use this work around, you will need a computer that can run Python. So the first step is to install it. You will need v3.x of Python. How you install this will depend on your operating system. The following instructions have been tested on Linux on a Raspberry Pi. You may need to tweak things on other OS’s such as Windows.

You will also need the Python 3 version of something called pip. If using Linux, you should install pip via your package manager. The examples below use Rasbian which is derived from Debian Linux. The package manager for Debian is apt or apt-get.

Finally, the following also assumes that you have an application called git installed. If you don’t have and don’t want to install that, you can manually download the required python-vipaccess application archive from GitHub directly & unpack the archive. We will assume that you are starting on the command line from the folder immediately above the place you’ve unpacked the application (the git clone command does the equivalent).

1. Install the Python 3 version of pip if needed: sudo apt install python3-pip
2. Download an application from GitHub. git clone https://github.com/dlenski/python-vipaccess.git
3. cd python-vipaccess
4. pip3 install -r requirements.txt (takes quite a while on a Pi3. Not entirely sure you need this step or whether the next step does the same thing)
5. pip3 install .

The next problem is that this method of installation does not create an executable!

You have to execute using the following command:

python3 ./vipaccess/cli.py provision -p

Next, open your favoured OTP/Authenticator tool (I prefer LastPass Authenticator). Add a new account using a barcode. Now run the command:

qrencode -t ANSI256 'ZZZ'

Where ZZZ is the long URI output by the provisioning command and looks something like otpauth://totp/VIP%20Access:XXXXXXXXXXXX?issuer=Symantec&algorithm=SHA1&digits=6&period=30&secret=YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY. Don’t forget to add the wrapping single quotes.

XXXXXXXXXXXX being the credential from the provisioning command and YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY being the long code you would also use with oathtool. The whole otpauth URI is given to you so you can simply copy and paste it between the single quotes in the qrencode command.

This generates a visual, 2D barcode in your terminal that you can use in your authenticator app to finish creating the new account. The account will be named “Symantec” by default.

Now go to https://www.paypal.com/cgi-bin/webscr?cmd=_activate-security-key-any

In the resulting form, “Serial Number” is the XXXXXXXXXXXX value. Then you have to enter two security codes from your authenticator app. Enter the code that is currently showing. Then wait 30 sec for the next code to show and enter that.

All being well, you should now have a new activated security key. The key should last for 3 years after which you can create a new one following the same process.