I really like the text-message based 2-step verification I have step up for my Facebook account, where I need both my password and the secret code that Facebook sends to my cellphone as a text message to log in. Even if someone rips my password, they can’t get in without my phone too. Cool. [see: Set up login approval for your Facebook account]. My question is: can I do the same for Paypal?
I’m also a huge fan of the two-step verification because I like the idea of a security system based on both what you know (your password) and what you have (your cellphone). Have just one and you’re out of luck, so phishers and key sniffers are left in the cold. Turns out that this is something that a number of different sites are moving towards, notably including Google itself [see: set up 2-step verification security on your Gmail account].
Rather to my surprise, it turns out my bank has a similar system but it’s even more secure because it uses a small handheld gizmo that generates a random sequence of digits based on the time of day (e.g. it’s different each time you log in). Without that “token” device in your hand, you can’t log in to the account, which, given that it’s my main account for my mortgage, savings, and retirement, as well as my portfolio, is a good thing. How did I learn about it? From a friend who also uses the same banking service. They should make it widely available, but… if you’d like better security with your online banking, call your bank and see what they suggest.
Back to PayPal. Turns out that they also have a physical gadget that can be used for two-step verification if you’d prefer not relying on your cellphone, though instead of making it available for free they charge $29.99 for what they call the “PayPal Security Key”. If you want to just use your SMS service on your phone, there’s no charge, so there’s no reason in the world not to set this up and help protect your PayPal account!
I set it up for my account as I use PayPal for a lot of transactions, including if you want to buy me a cup of coffee as a thank you for the reams of free content on my site (hint, hint 🙂
To do that, I started out on the PayPal Security Key page, which showed me this:
Click on the above button if you don’t already have the page displayed. You’ll need to log in to your PayPal account, of course…
But now that you’re logged in, it’s time to decide if you want the $29.99 physical security key or are fine just using your cellphone’s text messaging service:
I chose to register my mobile phone and proceed that way by simply clicking on the middle graphic. If you’d rather get the physical device, click on the left box.
The next step will be to give PayPal your cellphone number:
Easily done. Make sure that you understand that you’re responsible for any fees associated with the incoming text messages, not PayPal. Then again, even if you log in twice a week, that’s less than a dozen codes a month, so it’s not like it’s that much. But still, good to know.
Scroll down, read the small print from the company, and if you’re okay with it all — and here’s where you learn that this also works with your eBay account too, a nice bonus! — click on “Agree and Register”:
Now a security key will be sent to your mobile phone and you’ll see this show up on the computer screen, ready for you to prove you have the phone and got the code:
Meanwhile, on my iPhone…
As you can see, the security code they sent me is 994546 and that it only lasts for five minutes before it expires and is no longer valid. So find your cellphone before you try to log in. 🙂
Once it’s entered correctly, you’re good to go:
The text’s pretty small. It says “Your PayPal Security Key is now active. For more information, text HELP to 777536 or visit the Security Key FAQ in our Security Center. Text STOP for cancel instructions. Standard message charges apply.”
Now every time you log in to your PayPal account it’ll require that you have your phone handy and enter the six-digit code it sends. Nice. Smart. Recommended.